Thread: 9.5rc1 RLS select policy on insert?
I see the insert policy check running but also the select policy using on insert. I don't understand why the select policy is being run. Could it possibly be related to using a sequence on the table? Ted
* Ted Toth (txtoth@gmail.com) wrote: > I see the insert policy check running but also the select policy using > on insert. I don't understand why the select policy is being run. > Could it possibly be related to using a sequence on the table? It's used when SELECT rights are required on the table, such as with an INSERT .. RETURNING. Thanks! Stephen
Attachment
This happens on simple INSERTs no RETURNING. On Wed, Jan 6, 2016 at 9:40 PM, Stephen Frost <sfrost@snowman.net> wrote: > * Ted Toth (txtoth@gmail.com) wrote: >> I see the insert policy check running but also the select policy using >> on insert. I don't understand why the select policy is being run. >> Could it possibly be related to using a sequence on the table? > > It's used when SELECT rights are required on the table, such as with an > INSERT .. RETURNING. > > Thanks! > > Stephen
Ted Toth <txtoth@gmail.com> writes: > This happens on simple INSERTs no RETURNING. You're going to need to show a concrete example. regards, tom lane
Ted, Please don't top-post on these lists. > On Wed, Jan 6, 2016 at 9:40 PM, Stephen Frost <sfrost@snowman.net> wrote: > > * Ted Toth (txtoth@gmail.com) wrote: > >> I see the insert policy check running but also the select policy using > >> on insert. I don't understand why the select policy is being run. > >> Could it possibly be related to using a sequence on the table? > > > > It's used when SELECT rights are required on the table, such as with an > > INSERT .. RETURNING. * Ted Toth (txtoth@gmail.com) wrote: > This happens on simple INSERTs no RETURNING. You'll have to provide more information on what you're seeing. I've just stepped through get_row_security_quals() for a simple INSERT to a table and reviewed what ends up in securityQuals (it's NULL) and withCheckOptions (it's the single boolean expression corresponding to the INSERT policy defined on the table). The SELECT policy, which is also defined on the table, is no where to be found in the results of that call. I was testing with: =*> \d t1 Table "public.t1" Column | Type | Modifiers --------+---------+----------- c1 | integer | Policies: POLICY "p1" FOR INSERT WITH CHECK ((c1 > 5)) POLICY "p2" FOR SELECT USING ((c1 < 5)) =*> insert into t1 values (6); Thanks! Stephen
Attachment
On Thu, Jan 7, 2016 at 8:27 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Ted Toth <txtoth@gmail.com> writes: >> This happens on simple INSERTs no RETURNING. > > You're going to need to show a concrete example. > > regards, tom lane You were right there was an insert with RETURNING :(