NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commitdee0200

committed

RLS: Keep deny policy when only restrictive exist

Only remove the default deny policy when a permissive policy exists(either from the hook or defined by the user). If only restrictivepolicies exist then no rows will be visible, as restrictive policiesshouldn't make rows visible. To address this requirement, a single"USING (true)" permissive policy can be created.Update the test_rls_hooks regression tests to create the necessary"USING (true)" permissive policy.Back-patch to 9.5 where RLS was added.Per discussion with Dean.

1 parentecc2d16 commitdee0200Copy full SHA for dee0200

File tree

4 files changed

+30

-4

lines changed

src
- backend/rewrite
  - rowsecurity.c
- test/modules/test_rls_hooks
  - expected
    - test_rls_hooks.out
  - sql
    - test_rls_hooks.sql
  - test_rls_hooks.c

4 files changed

+30

-4

lines changed

`‎src/backend/rewrite/rowsecurity.c`

Lines changed: 10 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -225,12 +225,18 @@ get_row_security_policies(Query root, CmdType commandType, RangeTblEntry rte,`
`225`	`225`	`}`
`226`	`226`
`227`	`227`	`/*`
`228`		`- * If the only built-in policy is the default-deny one, andhook policies`
`229`		`- * exist, then use the hook policies only and do not apply the`
	`228`	`+ * If the only built-in policy is the default-deny one, andpermissive hook`
	`229`	`+ *policiesexist, then use the hook policies only and do not apply the`
`230`	`230`	`* default-deny policy. Otherwise, we will apply both sets below.`
	`231`	`+ *`
	`232`	`+ * Note that we do not remove the defaultDeny policy if only restrictive`
	`233`	`+ * policies exist as restrictive policies should only ever be reducing what`
	`234`	`+ * is visible. Therefore, at least one permissive policy must exist which`
	`235`	`+ * allows records to be seen before restrictive policies can remove rows`
	`236`	`+ * from that set. A single "true" policy can be created to address this`
	`237`	`+ * requirement, if necessary.`
`231`	`238`	`*/`
`232`		`-if (defaultDeny&&`
`233`		`-(hook_policies_restrictive!=NIL\|\|hook_policies_permissive!=NIL))`
	`239`	`+if (defaultDeny&&hook_policies_permissive!=NIL)`
`234`	`240`	`{`
`235`	`241`	`rowsec_expr=NULL;`
`236`	`242`	`rowsec_with_check_expr=NULL;`

`‎src/test/modules/test_rls_hooks/expected/test_rls_hooks.out`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,11 @@ CREATE TABLE rls_test_restrictive (`
`13`	`13`	`supervisor name,`
`14`	`14`	`data integer`
`15`	`15`	`);`
	`16`	`+-- At least one permissive policy must exist, otherwise`
	`17`	`+-- the default deny policy will be applied. For`
	`18`	`+-- testing the only-restrictive-policies from the hook,`
	`19`	`+-- create a simple 'allow all' policy.`
	`20`	`+CREATE POLICY p1 ON rls_test_restrictive USING (true);`
`16`	`21`	`-- initial test data`
`17`	`22`	`INSERT INTO rls_test_restrictive VALUES ('r1','s1',1);`
`18`	`23`	`INSERT INTO rls_test_restrictive VALUES ('r2','s2',2);`
`@@ -109,6 +114,8 @@ RESET ROLE;`
`109`	`114`	`-- Create "internal" policies, to check that the policies from`
`110`	`115`	`-- the hooks are combined correctly.`
`111`	`116`	`CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0);`
	`117`	`+-- Remove the original allow-all policy`
	`118`	`+DROP POLICY p1 ON rls_test_restrictive;`
`112`	`119`	`CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0);`
`113`	`120`	`CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0);`
`114`	`121`	`SET ROLE r1;`

`‎src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,12 @@ CREATE TABLE rls_test_restrictive (`
`17`	`17`	`datainteger`
`18`	`18`	`);`
`19`	`19`
	`20`	`+-- At least one permissive policy must exist, otherwise`
	`21`	`+-- the default deny policy will be applied. For`
	`22`	`+-- testing the only-restrictive-policies from the hook,`
	`23`	`+-- create a simple 'allow all' policy.`
	`24`	`+CREATE POLICY p1ON rls_test_restrictive USING (true);`
	`25`	`+`
`20`	`26`	`-- initial test data`
`21`	`27`	`INSERT INTO rls_test_restrictiveVALUES ('r1','s1',1);`
`22`	`28`	`INSERT INTO rls_test_restrictiveVALUES ('r2','s2',2);`
`@@ -101,6 +107,8 @@ RESET ROLE;`
`101`	`107`	`-- the hooks are combined correctly.`
`102`	`108`	`CREATE POLICY p1ON rls_test_permissive USING (data %2=0);`
`103`	`109`
	`110`	`+-- Remove the original allow-all policy`
	`111`	`+DROP POLICY p1ON rls_test_restrictive;`
`104`	`112`	`CREATE POLICY p1ON rls_test_restrictive USING (data %2=0);`
`105`	`113`
`106`	`114`	`CREATE POLICY p1ON rls_test_both USING (data %2=0);`

`‎src/test/modules/test_rls_hooks/test_rls_hooks.c`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)`
`119`	`119`
`120`	`120`	`/*`
`121`	`121`	`* Return restrictive policies to be added`
	`122`	`+ *`
	`123`	`+ * Note that a permissive policy must exist or the default-deny policy`
	`124`	`+ * will be included and nothing will be visible. If no filtering should`
	`125`	`+ * be done except for the restrictive policy, then a single "USING (true)"`
	`126`	`+ * permissive policy can be used; see the regression tests.`
`122`	`127`	`*/`
`123`	`128`	`List*`
`124`	`129`	`test_rls_hooks_restrictive(CmdTypecmdtype,Relationrelation)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdee0200

File tree

4 files changed

4 files changed

`‎src/backend/rewrite/rowsecurity.c`

`‎src/test/modules/test_rls_hooks/expected/test_rls_hooks.out`

`‎src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql`

`‎src/test/modules/test_rls_hooks/test_rls_hooks.c`

0 commit comments