| From: | jian he <jian(dot)universality(at)gmail(dot)com> |
|---|---|
| To: | Chao Li <li(dot)evan(dot)chao(at)gmail(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: minor error message enhance: print RLS policy name when only one permissive policy exists |
| Date: | 2025-10-31 11:54:38 |
| Message-ID: | CACJufxFLgm2ynPs1HZAVU6s5iV9uQAmRaQXA=rwuvTQy6bnBRA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Oct 28, 2025 at 11:06 AM Chao Li <li(dot)evan(dot)chao(at)gmail(dot)com> wrote:
> > The attached patch did what the $subject says.
> > demo:
> >
> > begin;
> > create role alice login;
> > grant all on schema public to alice;
> > drop table if exists tts;
> > create table tts(a int);
> > grant insert on tts to alice;
> > ALTER TABLE tts ENABLE ROW LEVEL SECURITY;
> > CREATE POLICY p1 ON tts FOR ALL USING (a = 1 or a = 2 or a = 3);
> > commit;
> >
> > SET ROLE alice;
> > insert into tts values (4); --error
> >
> > old ERROR message:
> > ERROR: new row violates row-level security policy for table "tts"
> >
> > new ERROR message:
> > ERROR: new row violates row-level security policy "p1" for table "tts"
> >
> > There are fewer than 10 lines of C code changes, but turns out that in the
> > regression tests, there are many cases where only one permissive policy exists
> > for INSERT or UPDATE.
> > So the patch is not smaller.
> > <v1-0001-minor-RLS-violation-error-report-enhance.patch>
>
> I agree printing policy name to the log helps. I tried to “make" and “make check”, all passed.
https://cirrus-ci.com/task/5006265459408896?logs=test_world#L145
says test_rls_hooks test failed.
>
> A tiny comment wrt the code comment:
>
> ```
> * since if the check fails it means that no policy granted permission
> * to perform the update, rather than any particular policy being
> * violated.
> + * However, if there is only a single permissive policy clause, we can
> + * include that specific policy name in error reports when the policy is
> + * violated.
> ```
>
> * “However …” doesn’t have to go to a new line. But if you really want that, an empty comment line should be added above “However …”. See the comment of “if” that is right above this piece of code.
>
> * “include that specific policy name” => “include that specific policy’s name”.
>
ok. now the comment is
* However, if there is only a single permissive policy clause, we can
* include that specific policy’s name in error reports when the policy
* is violated.
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-minor-RLS-violation-error-report-enhance.patch | text/x-patch | 19.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2025-10-31 11:57:33 | Re: Adding basic NUMA awareness |
| Previous Message | Zhou, Zhiguo | 2025-10-31 11:19:16 | Re: [RFC] Lock-free XLog Reservation from WAL |