diff options
| author | Stephen Frost <sfrost@snowman.net> | 2015-10-04 21:05:18 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2015-10-04 21:05:18 -0400 |
| commit | 90f334d2ca1a8bae2d0cd8a0898fb8ef90257565 (patch) | |
| tree | 2619e5544fbeb3ae65c462a3a9dd3f1a97d8ca11 /doc/src | |
| parent | e78dc6b829219cacaccc59957b5375585e919099 (diff) | |
ALTER TABLE .. FORCE ROW LEVEL SECURITY
To allow users to force RLS to always be applied, even for table owners,
add ALTER TABLE .. FORCE ROW LEVEL SECURITY.
row_security=off overrides FORCE ROW LEVEL SECURITY, to ensure pg_dump
output is complete (by default).
Also add SECURITY_NOFORCE_RLS context to avoid data corruption when
ALTER TABLE .. FORCE ROW SECURITY is being used. The
SECURITY_NOFORCE_RLS security context is used only during referential
integrity checks and is only considered in check_enable_rls() after we
have already checked that the current user is the owner of the relation
(which should always be the case during referential integrity checks).
Back-patch to 9.5 where RLS was added.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 10 | ||||
| -rw-r--r-- | doc/src/sgml/ref/alter_table.sgml | 17 |
2 files changed, 27 insertions, 0 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 4a75b5f33d4..90a137bc0d3 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -1972,6 +1972,16 @@ </row> <row> + <entry><structfield>relforcerowsecurity</structfield></entry> + <entry><type>bool</type></entry> + <entry></entry> + <entry> + True if row level security (when enabled) will also apply to table owner; see + <link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog + </entry> + </row> + + <row> <entry><structfield>relispopulated</structfield></entry> <entry><type>bool</type></entry> <entry></entry> diff --git a/doc/src/sgml/ref/alter_table.sgml b/doc/src/sgml/ref/alter_table.sgml index 776401fc205..9fea2702bac 100644 --- a/doc/src/sgml/ref/alter_table.sgml +++ b/doc/src/sgml/ref/alter_table.sgml @@ -61,6 +61,8 @@ ALTER TABLE ALL IN TABLESPACE <replaceable class="PARAMETER">name</replaceable> ENABLE ALWAYS RULE <replaceable class="PARAMETER">rewrite_rule_name</replaceable> DISABLE ROW LEVEL SECURITY ENABLE ROW LEVEL SECURITY + FORCE ROW LEVEL SECURITY + NO FORCE ROW LEVEL SECURITY CLUSTER ON <replaceable class="PARAMETER">index_name</replaceable> SET WITHOUT CLUSTER SET WITH OIDS @@ -432,6 +434,21 @@ ALTER TABLE ALL IN TABLESPACE <replaceable class="PARAMETER">name</replaceable> </varlistentry> <varlistentry> + <term><literal>NO FORCE</literal>/<literal>FORCE ROW LEVEL SECURITY</literal></term> + <listitem> + <para> + These forms control the application of row security policies belonging + to the table when the user is the table owner. If enabled, row level + security policies will be applied when the user is the table owner. If + disabled (the default) then row level security will not be applied when + the user is the table owner. + See also + <xref linkend="SQL-CREATEPOLICY">. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><literal>CLUSTER ON</literal></term> <listitem> <para> |