[HACKERS] Row Level Security UPDATE Confusion

Поиск
Список
Период
Сортировка
От Rod Taylor
Тема [HACKERS] Row Level Security UPDATE Confusion
Дата
Msg-id CAHz80e7Pd4FgDmR=UUDij+oCSf92BKkosRV=12Ra7xMrwQ11YA@mail.gmail.com
обсуждение исходный текст
Ответы Re: [HACKERS] Row Level Security UPDATE Confusion
Список pgsql-hackers
Дерево обсуждения
I'm a little confused on why a SELECT policy fires against the NEW record for an UPDATE when using multiple FOR policies. The ALL policy doesn't seem to have that restriction.


DROP TABLE IF EXISTS t;

CREATE USER simple;
CREATE USER split;
CREATE TABLE t(value int);
grant select, update on table t to simple, split;

INSERT INTO t values (1), (2);


ALTER TABLE t ENABLE ROW LEVEL SECURITY;
CREATE POLICY simple_all ON t TO simple USING (value > 0) WITH CHECK (true);

CREATE POLICY split_select ON t FOR SELECT TO split USING (value > 0);
CREATE POLICY split_update ON t FOR UPDATE TO split USING (true) WITH CHECK (true);


SET session authorization simple;
SELECT * FROM t;
UPDATE t SET value = value * -1 WHERE value = 1;

SET session authorization split;
SELECT * FROM t;
UPDATE t SET value = value * -1 WHERE value = 2;
/* UPDATE fails with below error:
psql:/tmp/t.sql:24: ERROR:  42501: new row violates row-level security policy for table "t"
LOCATION:  ExecWithCheckOptions, execMain.c:2045
*/

SET session authorization default;
SELECT * FROM t;

This seems consistent in both Pg 9.5 and upcoming Pg 10.


--
Rod Taylor

В списке pgsql-hackers по дате отправления: