Thread: RLS 9.5rc1 configuration changes?

I had been using CrunchyDatas 9.4 with backported RLS but I decided
since my ultimate target is 9.5 that I update to it. However now the
function called for the SELECT policy is not being called. \dt shows
the policy but EXPLAIN ANALYZE of a select doesn't show the filter.
When I turn up debug in postghresql.conf in pgstartup.log I see the
library loaded and the _PG_init function called and in the daily log I
see the client auth function called each time I run psql. The only
changes I made for 9.5 were to no longer set row_security to 'force'
in postgresql.conf and to add:
ALTER TABLE <table name> FORCE ROW LEVEL SECURITY;
in addition to the:
ALTER TABLE <table name> ENABLE ROW LEVEL SECURITY;
which I was already doing as I want RLS to be used even for the owner
of the table.
Are there any other additional configuration changes needed to get RLS
to work again?

Ted

Ted Toth <txtoth@gmail.com> writes:
> I had been using CrunchyDatas 9.4 with backported RLS but I decided
> since my ultimate target is 9.5 that I update to it. However now the
> function called for the SELECT policy is not being called. \dt shows
> the policy but EXPLAIN ANALYZE of a select doesn't show the filter.

I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the
policy USING condition to be visible in EXPLAIN in 9.5.

Are you perhaps testing this as a superuser?  Superusers bypass RLS
even with FORCE ROW LEVEL SECURITY.

> ... The only
> changes I made for 9.5 were to no longer set row_security to 'force'
> in postgresql.conf

What did you set it to instead?

            regards, tom lane

On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Ted Toth <txtoth@gmail.com> writes:
>> I had been using CrunchyDatas 9.4 with backported RLS but I decided
>> since my ultimate target is 9.5 that I update to it. However now the
>> function called for the SELECT policy is not being called. \dt shows
>> the policy but EXPLAIN ANALYZE of a select doesn't show the filter.
>
> I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the
> policy USING condition to be visible in EXPLAIN in 9.5.
>
> Are you perhaps testing this as a superuser?  Superusers bypass RLS
> even with FORCE ROW LEVEL SECURITY.

Yes I was a Superuser but without 'Bypass RLS'. So there's no way to
enforce RLS for all users/roles?

>
>> ... The only
>> changes I made for 9.5 were to no longer set row_security to 'force'
>> in postgresql.conf
>
> What did you set it to instead?

row_security=on. Maybe 'force' did what I wanted in Crunchy's 9.4 version :(

>
>                         regards, tom lane

Ted Toth <txtoth@gmail.com> writes:
> On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Are you perhaps testing this as a superuser?  Superusers bypass RLS
>> even with FORCE ROW LEVEL SECURITY.

> Yes I was a Superuser but without 'Bypass RLS'. So there's no way to
> enforce RLS for all users/roles?

There's no such thing as a "superuser without bypassrls", or a superuser
without any other privilege either.  That's the point of having superuser,
is that you can *always* defeat privilege restrictions if you have to.

I do not know if Crunchy's 9.4 mods broke that principle, but if so,
it was a bug IMO.

            regards, tom lane