Re: when is RLS policy applied - Mailing list pgsql-general

From Ted Toth
Subject Re: when is RLS policy applied
Date
Msg-id CAFPpqQFQdms2i0Vu9bF3d8THtBzF_WyBMGrNdSO=BO-bQEyV9g@mail.gmail.com
Whole thread Raw
In response to Re: when is RLS policy applied  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: when is RLS policy applied
List pgsql-general

On Fri, Jul 24, 2020 at 3:15 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Ted Toth <txtoth@gmail.com> writes:
> I'm trying to understand when RLS select policy is applied so I created the
> follow to test but I don't understand why the query filter order is
> different for the 2 queries can anyone explain?

The core reason why not is that the ~~ operator isn't considered
leakproof.  Plain text equality is leakproof, so it's safe to evaluate
ahead of the RLS filter --- and we'd rather do so because the plpgsql
function is assumed to be much more expensive than a built-in operator.

(~~ isn't leakproof because it can throw errors that expose information
about the pattern argument.)

                        regards, tom lane

Thanks for the explanation. 

Ted 

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: when is RLS policy applied
Next
From: Scott Ribe
Date:
Subject: bad JIT decision