From 5d35438273c4523a4dc4b48c3bd575e64310d3d4 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 4 Jan 2016 12:21:31 -0500 Subject: Adjust behavior of row_security GUC to match the docs. Some time back we agreed that row_security=off should not be a way to bypass RLS entirely, but only a way to get an error if it was being applied. However, the code failed to act that way for table owners. Per discussion, this is a must-fix bug for 9.5.0. Adjust the logic in rls.c to behave as expected; also, modify the error message to be more consistent with the new interpretation. The regression tests need minor corrections as well. Also update the comments about row_security in ddl.sgml to be correct. (The official description of the GUC in config.sgml is already correct.) I failed to resist the temptation to do some other very minor cleanup as well, such as getting rid of a duplicate extern declaration. --- doc/src/sgml/ddl.sgml | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index 584a618e9d3..a4b1a35bba0 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -1572,11 +1572,7 @@ REVOKE ALL ON accounts FROM PUBLIC; bypass the row security system when accessing a table. Table owners normally bypass row security as well, though a table owner can choose to be subject to row security with ALTER - TABLE ... FORCE ROW LEVEL SECURITY. Even in a table with that option - selected, the table owner will bypass row security if the - configuration parameter is set - to off; this setting is typically used for purposes such as - backup and restore. + TABLE ... FORCE ROW LEVEL SECURITY. @@ -1606,14 +1602,6 @@ REVOKE ALL ON accounts FROM PUBLIC; of all roles that they are a member of. - - Referential integrity checks, such as unique or primary key constraints - and foreign key references, always bypass row security to ensure that - data integrity is maintained. Care must be taken when developing - schemas and row level policies to avoid covert channel leaks of - information through such referential integrity checks. - - As a simple example, here is how to create a policy on the account relation to allow only members of @@ -1773,6 +1761,26 @@ postgres=> update passwd set pwhash = 'abc'; UPDATE 1 + + Referential integrity checks, such as unique or primary key constraints + and foreign key references, always bypass row security to ensure that + data integrity is maintained. Care must be taken when developing + schemas and row level policies to avoid covert channel leaks of + information through such referential integrity checks. + + + + In some contexts it is important to be sure that row security is + not being applied. For example, when taking a backup, it could be + disastrous if row security silently caused some rows to be omitted + from the backup. In such a situation, you can set the + configuration parameter + to off. This does not in itself bypass row security; + what it does is throw an error if any query's results would get filtered + by a policy. The reason for the error can then be investigated and + fixed. + + For additional details see and . -- cgit v1.2.3