NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit537bd17

committed

Remove the row_security=force GUC value.

Every query of a single ENABLE ROW SECURITY table has two meanings, withthe row_security GUC selecting between them. With row_security=forceavailable, every function author would have been advised to either setthe GUC locally or test both meanings. Non-compliance would havethreatened reliability and, for SECURITY DEFINER functions, security.Authors already face an obligation to account for search_path, and weshould not mimic that example. With this change, only BYPASSRLS rolesneed exercise the aforementioned care. Back-patch to 9.5, where therow_security GUC was introduced.Since this narrows the domain of pg_db_role_setting.setconfig andpg_proc.proconfig, one might bump catversion. A row_security=forcesetting in one of those columns will elicit a clear message, so don't.

1 parent8346218 commit537bd17Copy full SHA for 537bd17

File tree

8 files changed

+34

-241

lines changed

doc/src/sgml
- config.sgml
- ddl.sgml
src
- backend/utils/misc
  - guc.c
  - rls.c
- include/utils
  - plancache.h
  - rls.h
- test/regress
  - expected
    - rowsecurity.out
  - sql
    - rowsecurity.sql

8 files changed

+34

-241

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 2 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -5549,10 +5549,8 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;`
`5549`	`5549`	`to queries which are run against tables that have row security enabled.`
`5550`	`5550`	`The default is <literal>on</>. When set to <literal>on</>, all users,`
`5551`	`5551`	`except superusers and the owner of the table, will have the row`
`5552`		`- policies for the table applied to their queries. The table owner and`
`5553`		`- superuser can request that row policies be applied to their queries by`
`5554`		`- setting this to <literal>force</>. Lastly, this can also be set to`
`5555`		`- <literal>off</> which will bypass row policies for the table, if`
	`5552`	`+ policies for the table applied to their queries. When set to`
	`5553`	`+ <literal>off</>, queries will bypass row policies for the table, if`
`5556`	`5554`	`possible, and error if not.`
`5557`	`5555`	`</para>`
`5558`	`5556`
`@@ -5565,13 +5563,6 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;`
`5565`	`5563`	`returned.`
`5566`	`5564`	`</para>`
`5567`	`5565`
`5568`		`- <para>`
`5569`		`- The allowed values of <varname>row_security</> are`
`5570`		`- <literal>on</> (apply normally - not to superuser or table owner),`
`5571`		`- <literal>off</> (fail if row security would be applied), and`
`5572`		`- <literal>force</> (apply always - even to superuser and table owner).`
`5573`		`- </para>`
`5574`		`-`
`5575`	`5566`	`<para>`
`5576`	`5567`	`For more information on row security policies,`
`5577`	`5568`	`see <xref linkend="SQL-CREATEPOLICY">.`

`‎doc/src/sgml/ddl.sgml`

Lines changed: 7 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -1585,16 +1585,13 @@ REVOKE ALL ON accounts FROM PUBLIC;`
`1585`	`1585`
`1586`	`1586`	`<para>`
`1587`	`1587`	`The table owners and superusers bypass the row security system when`
`1588`		`- querying a table, by default. Row security can be enabled for`
`1589`		`- superusers and table owners by setting`
`1590`		`- <xref linkend="guc-row-security"> to <literal>force</literal>. Any`
`1591`		`- user can request that row security be bypassed by setting`
`1592`		`- <xref linkend="guc-row-security"> to <literal>off</literal>. If`
`1593`		`- the user does not have privileges to bypass row security when`
`1594`		`- querying a given table then an error will be returned instead. Other`
`1595`		`- users can be granted the ability to bypass the row security system`
`1596`		`- with the <literal>BYPASSRLS</literal> role attribute. This`
`1597`		`- attribute can only be set by a superuser.`
	`1588`	`+ querying a table. Any user can request that row security be bypassed by`
	`1589`	`+ setting <xref linkend="guc-row-security"> to <literal>off</literal>. If`
	`1590`	`+ the user does not have privileges to bypass row security when querying a`
	`1591`	`+ given table then an error will be returned instead. Other users can be`
	`1592`	`+ granted the ability to bypass the row security system with`
	`1593`	`+ the <literal>BYPASSRLS</literal> role attribute. This attribute can only`
	`1594`	`+ be set by a superuser.`
`1598`	`1595`	`</para>`
`1599`	`1596`
`1600`	`1597`	`<para>`

`‎src/backend/utils/misc/guc.c`

Lines changed: 10 additions & 29 deletions

Original file line number	Diff line number	Diff line change
`@@ -379,23 +379,6 @@ static const struct config_enum_entry huge_pages_options[] = {`
`379`	`379`	`{NULL,0, false}`
`380`	`380`	`};`
`381`	`381`
`382`		`-/*`
`383`		`- * Although only "on", "off", and "force" are documented, we`
`384`		`- * accept all the likely variants of "on" and "off".`
`385`		`- */`
`386`		`-staticconststructconfig_enum_entryrow_security_options[]= {`
`387`		`-{"on",ROW_SECURITY_ON, false},`
`388`		`-{"off",ROW_SECURITY_OFF, false},`
`389`		`-{"force",ROW_SECURITY_FORCE, false},`
`390`		`-{"true",ROW_SECURITY_ON, true},`
`391`		`-{"false",ROW_SECURITY_OFF, true},`
`392`		`-{"yes",ROW_SECURITY_ON, true},`
`393`		`-{"no",ROW_SECURITY_OFF, true},`
`394`		`-{"1",ROW_SECURITY_ON, true},`
`395`		`-{"0",ROW_SECURITY_OFF, true},`
`396`		`-{NULL,0, false}`
`397`		`-};`
`398`		`-`
`399`	`382`	`/*`
`400`	`383`	`* Options for enum values stored in other modules`
`401`	`384`	`*/`
`@@ -421,6 +404,7 @@ boollog_statement_stats = false;/* this is sort of all three`
`421`	`404`	`boollog_btree_build_stats= false;`
`422`	`405`	`char*event_source;`
`423`	`406`
	`407`	`+boolrow_security;`
`424`	`408`	`boolcheck_function_bodies= true;`
`425`	`409`	`booldefault_with_oids= false;`
`426`	`410`	`boolSQL_inheritance= true;`
`@@ -452,8 +436,6 @@ inttcp_keepalives_idle;`
`452`	`436`	`inttcp_keepalives_interval;`
`453`	`437`	`inttcp_keepalives_count;`
`454`	`438`
`455`		`-introw_security;`
`456`		`-`
`457`	`439`	`/*`
`458`	`440`	`* This really belongs in pg_shmem.c, but is defined here so that it doesn't`
`459`	`441`	`* need to be duplicated in all the different implementations of pg_shmem.c.`
`@@ -1373,6 +1355,15 @@ static struct config_bool ConfigureNamesBool[] =`
`1373`	`1355`	`false,`
`1374`	`1356`	`check_transaction_deferrable,NULL,NULL`
`1375`	`1357`	`},`
	`1358`	`+{`
	`1359`	`+{"row_security",PGC_USERSET,CONN_AUTH_SECURITY,`
	`1360`	`+gettext_noop("Enable row security."),`
	`1361`	`+gettext_noop("When enabled, row security will be applied to all users.")`
	`1362`	`+},`
	`1363`	`+&row_security,`
	`1364`	`+true,`
	`1365`	`+NULL,NULL,NULL`
	`1366`	`+},`
`1376`	`1367`	`{`
`1377`	`1368`	`{"check_function_bodies",PGC_USERSET,CLIENT_CONN_STATEMENT,`
`1378`	`1369`	`gettext_noop("Check function bodies during CREATE FUNCTION."),`
`@@ -3630,16 +3621,6 @@ static struct config_enum ConfigureNamesEnum[] =`
`3630`	`3621`	`NULL,NULL,NULL`
`3631`	`3622`	`},`
`3632`	`3623`
`3633`		`-{`
`3634`		`-{"row_security",PGC_USERSET,CONN_AUTH_SECURITY,`
`3635`		`-gettext_noop("Enable row security."),`
`3636`		`-gettext_noop("When enabled, row security will be applied to all users.")`
`3637`		`-},`
`3638`		`-&row_security,`
`3639`		`-ROW_SECURITY_ON,row_security_options,`
`3640`		`-NULL,NULL,NULL`
`3641`		`-},`
`3642`		`-`
`3643`	`3624`	`/* End-of-list marker */`
`3644`	`3625`	`{`
`3645`	`3626`	`{NULL,0,0,NULL,NULL},NULL,0,NULL,NULL,NULL,NULL`

`‎src/backend/utils/misc/rls.c`

Lines changed: 8 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -87,32 +87,19 @@ check_enable_rls(Oid relid, Oid checkAsUser, bool noError)`
`87`	`87`	`/*`
`88`	`88`	`* Check permissions`
`89`	`89`	`*`
`90`		`- * If the relation has row level security enabled and the row_security GUC`
`91`		`- * is off, then check if the user has rights to bypass RLS for this`
`92`		`- * relation. Table owners can always bypass, as can any role with the`
`93`		`- * BYPASSRLS capability.`
`94`		`- *`
`95`		`- * If the role is the table owner, then we bypass RLS unless row_security`
`96`		`- * is set to 'force'. Note that superuser is always considered an owner.`
`97`		`- *`
`98`		`- * Return RLS_NONE_ENV to indicate that this decision depends on the`
`99`		`- * environment (in this case, what the current values of user_id and`
`100`		`- * row_security are).`
	`90`	`+ * Table owners always bypass RLS. Note that superuser is always`
	`91`	`+ * considered an owner. Return RLS_NONE_ENV to indicate that this`
	`92`	`+ * decision depends on the environment (in this case, the user_id).`
`101`	`93`	`*/`
`102`		`-if (row_security!=ROW_SECURITY_FORCE`
`103`		`-&& (pg_class_ownercheck(relid,user_id)))`
	`94`	`+if (pg_class_ownercheck(relid,user_id))`
`104`	`95`	`returnRLS_NONE_ENV;`
`105`	`96`
`106`	`97`	`/*`
`107`		`- * If the row_security GUC is 'off' then check if the user has permission`
`108`		`- * to bypass it. Note that we have already handled the case where the`
`109`		`- * user is the table owner above.`
`110`		`- *`
`111`		`- * Note that row_security is always considered 'on' when querying through`
`112`		`- * a view or other cases where checkAsUser is true, so skip this if`
`113`		`- * checkAsUser is in use.`
	`98`	`+ * If the row_security GUC is 'off', check if the user has permission to`
	`99`	`+ * bypass RLS. row_security is always considered 'on' when querying`
	`100`	`+ * through a view or other cases where checkAsUser is valid.`
`114`	`101`	`*/`
`115`		`-if (!checkAsUser&&row_security==ROW_SECURITY_OFF)`
	`102`	`+if (!row_security&&!checkAsUser)`
`116`	`103`	`{`
`117`	`104`	`if (has_bypassrls_privilege(user_id))`
`118`	`105`	`/* OK to bypass */`

`‎src/include/utils/plancache.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ typedef struct CachedPlanSource`
`110`	`110`	`doubletotal_custom_cost;/* total cost of custom plans so far */`
`111`	`111`	`intnum_custom_plans;/* number of plans included in total */`
`112`	`112`	`boolhasRowSecurity;/* planned with row security? */`
`113`		`-introw_security_env;/* row security setting when planned */`
	`113`	`+boolrow_security_env;/* row security setting when planned */`
`114`	`114`	`boolrowSecurityDisabled;/* is row security disabled? */`
`115`	`115`	`}CachedPlanSource;`
`116`	`116`

`‎src/include/utils/rls.h`

Lines changed: 2 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,23 +14,15 @@`
`14`	`14`	`#defineRLS_H`
`15`	`15`
`16`	`16`	`/* GUC variable */`
`17`		`-externintrow_security;`
`18`		`-`
`19`		`-/* Possible values for row_security GUC */`
`20`		`-typedefenumRowSecurityConfigType`
`21`		`-{`
`22`		`-ROW_SECURITY_OFF,/* RLS never applied- error thrown if no priv */`
`23`		`-ROW_SECURITY_ON,/* normal case, RLS applied for regular users */`
`24`		`-ROW_SECURITY_FORCE/* RLS applied for superusers and table owners */`
`25`		`-}RowSecurityConfigType;`
	`17`	`+externboolrow_security;`
`26`	`18`
`27`	`19`	`/*`
`28`	`20`	`* Used by callers of check_enable_rls.`
`29`	`21`	`*`
`30`	`22`	`* RLS could be completely disabled on the tables involved in the query,`
`31`	`23`	`* which is the simple case, or it may depend on the current environment`
`32`	`24`	`* (the role which is running the query or the value of the row_security`
`33`		`- * GUC- on, off, or force), or it might be simply enabled as usual.`
	`25`	`+ * GUC), or it might be simply enabled as usual.`
`34`	`26`	`*`
`35`	`27`	`* If RLS isn't on the table involved then RLS_NONE is returned to indicate`
`36`	`28`	`* that we don't need to worry about invalidating the query plan for RLS`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit537bd17

File tree

8 files changed

8 files changed

`‎doc/src/sgml/config.sgml`

`‎doc/src/sgml/ddl.sgml`

`‎src/backend/utils/misc/guc.c`

`‎src/backend/utils/misc/rls.c`

`‎src/include/utils/plancache.h`

`‎src/include/utils/rls.h`

0 commit comments