From 6dae6edcd88cf3be06acf247c10de925bc065274 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Sun, 20 Sep 2015 20:45:41 -0400 Subject: Remove the row_security=force GUC value. Every query of a single ENABLE ROW SECURITY table has two meanings, with the row_security GUC selecting between them. With row_security=force available, every function author would have been advised to either set the GUC locally or test both meanings. Non-compliance would have threatened reliability and, for SECURITY DEFINER functions, security. Authors already face an obligation to account for search_path, and we should not mimic that example. With this change, only BYPASSRLS roles need exercise the aforementioned care. Back-patch to 9.5, where the row_security GUC was introduced. Since this narrows the domain of pg_db_role_setting.setconfig and pg_proc.proconfig, one might bump catversion. A row_security=force setting in one of those columns will elicit a clear message, so don't. --- doc/src/sgml/config.sgml | 13 ++----------- doc/src/sgml/ddl.sgml | 17 +++++++---------- 2 files changed, 9 insertions(+), 21 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index c11ae47b84c..c8ec219ffc6 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -5541,10 +5541,8 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; to queries which are run against tables that have row security enabled. The default is on. When set to on, all users, except superusers and the owner of the table, will have the row - policies for the table applied to their queries. The table owner and - superuser can request that row policies be applied to their queries by - setting this to force. Lastly, this can also be set to - off which will bypass row policies for the table, if + policies for the table applied to their queries. When set to + off, queries will bypass row policies for the table, if possible, and error if not. @@ -5557,13 +5555,6 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; returned. - - The allowed values of row_security are - on (apply normally - not to superuser or table owner), - off (fail if row security would be applied), and - force (apply always - even to superuser and table owner). - - For more information on row security policies, see . diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index e4e6b5cff4a..e9499d3a429 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -1585,16 +1585,13 @@ REVOKE ALL ON accounts FROM PUBLIC; The table owners and superusers bypass the row security system when - querying a table, by default. Row security can be enabled for - superusers and table owners by setting - to force. Any - user can request that row security be bypassed by setting - to off. If - the user does not have privileges to bypass row security when - querying a given table then an error will be returned instead. Other - users can be granted the ability to bypass the row security system - with the BYPASSRLS role attribute. This - attribute can only be set by a superuser. + querying a table. Any user can request that row security be bypassed by + setting to off. If + the user does not have privileges to bypass row security when querying a + given table then an error will be returned instead. Other users can be + granted the ability to bypass the row security system with + the BYPASSRLS role attribute. This attribute can only + be set by a superuser. -- cgit v1.2.3