| From: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | Vydehi Ganti <rayudugs(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Clarification on RLS policy |
| Date: | 2025-04-25 12:52:43 |
| Message-ID: | CAFCRh-_fXGfKk6b26xaDD1fg5OhLy92bNofmeDfX2TFjkQLLXA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Apr 25, 2025 at 2:43 PM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
> On Fri, 2025-04-25 at 12:38 +0530, Vydehi Ganti wrote:
> > We are presently using Postgresql:PostgreSQL 15.12 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-23), 64-bit
> > 2.The function would return a character varying string which should be appended
> > to the select as a filter.
>
> You cannot add whole WHERE conditions to a query dynamically.
> The only way to fix that is to solve the problem differently.
> Since you didn't tell us details, we cannot tell you how.
Laurenz is right. That's not how RLS works in PostgreSQL, unlike Oracle.
In PostgreSQL, you must use a boolean SQL expression, often by calling
a function.
You don't simply return some SQL text that Oracle then "splices" into
the SELECT.
E.g., if you use custom ROLEs as an implementation detail for your
security rules,
your policy can be as simple as calling the pg_has_role() built-in
function. FWIW. --DD
CREATE POLICY ... USING (pg_has_role('SomeRole', 'MEMBER'))
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vydehi Ganti | 2025-04-25 13:01:00 | Re: Clarification on RLS policy |
| Previous Message | Laurenz Albe | 2025-04-25 12:43:22 | Re: Clarification on RLS policy |