NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commited8bec9

committed

Handle dependencies properly in ALTER POLICY

ALTER POLICY hadn't fully considered partial policy alternation(eg: change just the roles on the policy, or just change one ofthe expressions) when rebuilding the dependencies. Instead, itwould happily remove all dependencies which existed for thepolicy and then only recreate the dependencies for the objectsreferred to in the specific ALTER POLICY command.Correct that by extracting and building the dependencies for allobjects referenced by the policy, regardless of if they wereprovided as part of the ALTER POLICY command or were already inplace as part of the pre-existing policy.

1 parentacfcd45 commited8bec9Copy full SHA for ed8bec9

File tree

3 files changed

+171

-0

lines changed

src
- backend/commands
  - policy.c
- test/regress
  - expected
    - rowsecurity.out
  - sql
    - rowsecurity.sql

3 files changed

+171

-0

lines changed

`‎src/backend/commands/policy.c`

Lines changed: 97 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -766,20 +766,117 @@ AlterPolicy(AlterPolicyStmt *stmt)`
`766`	`766`	`replaces[Anum_pg_policy_polroles-1]= true;`
`767`	`767`	`values[Anum_pg_policy_polroles-1]=PointerGetDatum(role_ids);`
`768`	`768`	`}`
	`769`	`+else`
	`770`	`+{`
	`771`	`+Oid*roles;`
	`772`	`+Datumroles_datum;`
	`773`	`+boolattr_isnull;`
	`774`	`+ArrayType*policy_roles;`
	`775`	`+`
	`776`	`+/*`
	`777`	`+ * We need to pull the set of roles this policy applies to from`
	`778`	`+ * what's in the catalog, so that we can recreate the dependencies`
	`779`	`+ * correctly for the policy.`
	`780`	`+ */`
	`781`	`+`
	`782`	`+roles_datum=heap_getattr(policy_tuple,Anum_pg_policy_polroles,`
	`783`	`+RelationGetDescr(pg_policy_rel),`
	`784`	`+&attr_isnull);`
	`785`	`+Assert(!attr_isnull);`
	`786`	`+`
	`787`	`+policy_roles=DatumGetArrayTypePCopy(roles_datum);`
	`788`	`+`
	`789`	`+roles= (Oid*)ARR_DATA_PTR(policy_roles);`
	`790`	`+`
	`791`	`+nitems=ARR_DIMS(policy_roles)[0];`
	`792`	`+`
	`793`	`+role_oids= (Datum)palloc(nitemssizeof(Datum));`
	`794`	`+`
	`795`	`+for (i=0;i<nitems;i++)`
	`796`	`+role_oids[i]=ObjectIdGetDatum(roles[i]);`
	`797`	`+}`
`769`	`798`
`770`	`799`	`if (qual!=NULL)`
`771`	`800`	`{`
`772`	`801`	`replaces[Anum_pg_policy_polqual-1]= true;`
`773`	`802`	`values[Anum_pg_policy_polqual-1]`
`774`	`803`	`=CStringGetTextDatum(nodeToString(qual));`
`775`	`804`	`}`
	`805`	`+else`
	`806`	`+{`
	`807`	`+Datumvalue_datum;`
	`808`	`+boolattr_isnull;`
	`809`	`+`
	`810`	`+/*`
	`811`	`+ * We need to pull the USING expression and build the range table for`
	`812`	`+ * the policy from what's in the catalog, so that we can recreate`
	`813`	`+ * the dependencies correctly for the policy.`
	`814`	`+ */`
	`815`	`+`
	`816`	`+/* Check if the policy has a USING expr */`
	`817`	`+value_datum=heap_getattr(policy_tuple,Anum_pg_policy_polqual,`
	`818`	`+RelationGetDescr(pg_policy_rel),`
	`819`	`+&attr_isnull);`
	`820`	`+if (!attr_isnull)`
	`821`	`+{`
	`822`	`+char*qual_value;`
	`823`	`+ParseState*qual_pstate=make_parsestate(NULL);`
	`824`	`+`
	`825`	`+/* parsestate is built just to build the range table */`
	`826`	`+qual_pstate=make_parsestate(NULL);`
	`827`	`+`
	`828`	`+qual_value=TextDatumGetCString(value_datum);`
	`829`	`+qual=stringToNode(qual_value);`
	`830`	`+`
	`831`	`+/* Add this rel to the parsestate's rangetable, for dependencies */`
	`832`	`+addRangeTableEntryForRelation(qual_pstate,target_table,NULL,`
	`833`	`+ false, false);`
	`834`	`+`
	`835`	`+qual_parse_rtable=qual_pstate->p_rtable;`
	`836`	`+free_parsestate(qual_pstate);`
	`837`	`+}`
	`838`	`+}`
`776`	`839`
`777`	`840`	`if (with_check_qual!=NULL)`
`778`	`841`	`{`
`779`	`842`	`replaces[Anum_pg_policy_polwithcheck-1]= true;`
`780`	`843`	`values[Anum_pg_policy_polwithcheck-1]`
`781`	`844`	`=CStringGetTextDatum(nodeToString(with_check_qual));`
`782`	`845`	`}`
	`846`	`+else`
	`847`	`+{`
	`848`	`+Datumvalue_datum;`
	`849`	`+boolattr_isnull;`
	`850`	`+`
	`851`	`+/*`
	`852`	`+ * We need to pull the WITH CHECK expression and build the range table`
	`853`	`+ * for the policy from what's in the catalog, so that we can recreate`
	`854`	`+ * the dependencies correctly for the policy.`
	`855`	`+ */`
	`856`	`+`
	`857`	`+/* Check if the policy has a WITH CHECK expr */`
	`858`	`+value_datum=heap_getattr(policy_tuple,Anum_pg_policy_polwithcheck,`
	`859`	`+RelationGetDescr(pg_policy_rel),`
	`860`	`+&attr_isnull);`
	`861`	`+if (!attr_isnull)`
	`862`	`+{`
	`863`	`+char*with_check_value;`
	`864`	`+ParseState*with_check_pstate=make_parsestate(NULL);`
	`865`	`+`
	`866`	`+/* parsestate is built just to build the range table */`
	`867`	`+with_check_pstate=make_parsestate(NULL);`
	`868`	`+`
	`869`	`+with_check_value=TextDatumGetCString(value_datum);`
	`870`	`+with_check_qual=stringToNode(with_check_value);`
	`871`	`+`
	`872`	`+/* Add this rel to the parsestate's rangetable, for dependencies */`
	`873`	`+addRangeTableEntryForRelation(with_check_pstate,target_table,NULL,`
	`874`	`+ false, false);`
	`875`	`+`
	`876`	`+with_check_parse_rtable=with_check_pstate->p_rtable;`
	`877`	`+free_parsestate(with_check_pstate);`
	`878`	`+}`
	`879`	`+}`
`783`	`880`
`784`	`881`	`new_tuple=heap_modify_tuple(policy_tuple,`
`785`	`882`	`RelationGetDescr(pg_policy_rel),`

`‎src/test/regress/expected/rowsecurity.out`

Lines changed: 43 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3246,6 +3246,49 @@ SET row_security = on;`
`3246`	`3246`	`UPDATE r1 SET a = 30 RETURNING *;`
`3247`	`3247`	`ERROR: new row violates row-level security policy for table "r1"`
`3248`	`3248`	`DROP TABLE r1;`
	`3249`	`+-- Check dependency handling`
	`3250`	`+RESET SESSION AUTHORIZATION;`
	`3251`	`+CREATE TABLE dep1 (c1 int);`
	`3252`	`+CREATE TABLE dep2 (c1 int);`
	`3253`	`+CREATE POLICY dep_p1 ON dep1 TO rls_regress_user1 USING (c1 > (select max(dep2.c1) from dep2));`
	`3254`	`+ALTER POLICY dep_p1 ON dep1 TO rls_regress_user1,rls_regress_user2;`
	`3255`	`+-- Should return one`
	`3256`	`+SELECT count(*) = 1 FROM pg_depend`
	`3257`	`+ WHERE objid = (SELECT oid FROM pg_policy WHERE polname = 'dep_p1')`
	`3258`	`+ AND refobjid = (SELECT oid FROM pg_class WHERE relname = 'dep2');`
	`3259`	`+ ?column?`
	`3260`	`+----------`
	`3261`	`+ t`
	`3262`	`+(1 row)`
	`3263`	`+`
	`3264`	`+ALTER POLICY dep_p1 ON dep1 USING (true);`
	`3265`	`+-- Should return one`
	`3266`	`+SELECT count(*) = 1 FROM pg_shdepend`
	`3267`	`+ WHERE objid = (SELECT oid FROM pg_policy WHERE polname = 'dep_p1')`
	`3268`	`+ AND refobjid = (SELECT oid FROM pg_authid WHERE rolname = 'rls_regress_user1');`
	`3269`	`+ ?column?`
	`3270`	`+----------`
	`3271`	`+ t`
	`3272`	`+(1 row)`
	`3273`	`+`
	`3274`	`+-- Should return one`
	`3275`	`+SELECT count(*) = 1 FROM pg_shdepend`
	`3276`	`+ WHERE objid = (SELECT oid FROM pg_policy WHERE polname = 'dep_p1')`
	`3277`	`+ AND refobjid = (SELECT oid FROM pg_authid WHERE rolname = 'rls_regress_user2');`
	`3278`	`+ ?column?`
	`3279`	`+----------`
	`3280`	`+ t`
	`3281`	`+(1 row)`
	`3282`	`+`
	`3283`	`+-- Should return zero`
	`3284`	`+SELECT count(*) = 0 FROM pg_depend`
	`3285`	`+ WHERE objid = (SELECT oid FROM pg_policy WHERE polname = 'dep_p1')`
	`3286`	`+ AND refobjid = (SELECT oid FROM pg_class WHERE relname = 'dep2');`
	`3287`	`+ ?column?`
	`3288`	`+----------`
	`3289`	`+ t`
	`3290`	`+(1 row)`
	`3291`	`+`
`3249`	`3292`	`--`
`3250`	`3293`	`-- Clean up objects`
`3251`	`3294`	`--`

`‎src/test/regress/sql/rowsecurity.sql`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1490,6 +1490,37 @@ UPDATE r1 SET a = 30 RETURNING *;`
`1490`	`1490`
`1491`	`1491`	`DROPTABLE r1;`
`1492`	`1492`
	`1493`	`+-- Check dependency handling`
	`1494`	`+RESET SESSION AUTHORIZATION;`
	`1495`	`+CREATETABLEdep1 (c1int);`
	`1496`	`+CREATETABLEdep2 (c1int);`
	`1497`	`+`
	`1498`	`+CREATE POLICY dep_p1ON dep1 TO rls_regress_user1 USING (c1> (selectmax(dep2.c1)from dep2));`
	`1499`	`+ALTER POLICY dep_p1ON dep1 TO rls_regress_user1,rls_regress_user2;`
	`1500`	`+`
	`1501`	`+-- Should return one`
	`1502`	`+SELECTcount(*)=1FROM pg_depend`
	`1503`	`+WHERE objid= (SELECToidFROM pg_policyWHERE polname='dep_p1')`
	`1504`	`+AND refobjid= (SELECToidFROM pg_classWHERE relname='dep2');`
	`1505`	`+`
	`1506`	`+ALTER POLICY dep_p1ON dep1 USING (true);`
	`1507`	`+`
	`1508`	`+-- Should return one`
	`1509`	`+SELECTcount(*)=1FROM pg_shdepend`
	`1510`	`+WHERE objid= (SELECToidFROM pg_policyWHERE polname='dep_p1')`
	`1511`	`+AND refobjid= (SELECToidFROM pg_authidWHERE rolname='rls_regress_user1');`
	`1512`	`+`
	`1513`	`+-- Should return one`
	`1514`	`+SELECTcount(*)=1FROM pg_shdepend`
	`1515`	`+WHERE objid= (SELECToidFROM pg_policyWHERE polname='dep_p1')`
	`1516`	`+AND refobjid= (SELECToidFROM pg_authidWHERE rolname='rls_regress_user2');`
	`1517`	`+`
	`1518`	`+-- Should return zero`
	`1519`	`+SELECTcount(*)=0FROM pg_depend`
	`1520`	`+WHERE objid= (SELECToidFROM pg_policyWHERE polname='dep_p1')`
	`1521`	`+AND refobjid= (SELECToidFROM pg_classWHERE relname='dep2');`
	`1522`	`+`
	`1523`	`+`
`1493`	`1524`	`--`
`1494`	`1525`	`-- Clean up objects`
`1495`	`1526`	`--`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commited8bec9

File tree

3 files changed

3 files changed

`‎src/backend/commands/policy.c`

`‎src/test/regress/expected/rowsecurity.out`

`‎src/test/regress/sql/rowsecurity.sql`

0 commit comments