Re: [PATCH] Add reloption for views to enable RLS

From: Christoph Heiss <christoph(dot)heiss(at)cybertec(dot)at>
To: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>
Cc: walther(at)technowledgy(dot)de, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Hans-Jürgen Schönig <hs(at)cybertec(dot)at>
Subject: Re: [PATCH] Add reloption for views to enable RLS
Date: 2022-03-14 12:40:47
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 3/9/22 16:06, Laurenz Albe wrote:
> This paragraph contains a couple of grammatical errors.
> How about
> <para>
> Note that the user performing the insert, update or delete on the view
> must have the corresponding insert, update or delete privilege on the
> view. Unless <literal>security_invoker</literal> is set to
> <literal>true</literal>, the view's owner must additionally have the
> relevant privileges on the underlying base relations, but the user
> performing the update does not need any permissions on the underlying
> base relations (see <xref linkend="rules-privileges"/>).
> If <literal>security_invoker</literal> is set to <literal>true</literal>,
> it is the invoking user rather than the view owner that must have the
> relevant privileges on the underlying base relations.
> </para>

Replaced the two paragraphs with your suggestion, it is indeed easier to

> Also, this:
> [..]
> could be written like this (introducing a new variable):
> if (rule->event == CMD_SELECT
> && relation->rd_rel->relkind == RELKIND_VIEW
> && RelationHasSecurityInvoker(relation))
> user_for_check = InvalidOid;
> else
> user_for_check = relation->rd_rel->relowner;
> setRuleCheckAsUser((Node *) rule->actions, user_for_check);
> setRuleCheckAsUser(rule->qual, user_for_check);
> This might be easier to read.

Makes sense, I've changed that. This also seems to be more in line with
all the other code.
While at it I also split the comment alongside it to match, hopefully
that makes sense.

Christoph Heiss

Attachment Content-Type Size
v11-0001-Add-new-boolean-reloption-security_invoker-to-vi.patch text/x-patch 32.9 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2022-03-14 12:47:10 Re: Column Filtering in Logical Replication
Previous Message 2022-03-14 12:39:49 RE: Skipping logical replication transactions on subscriber side