| From: | Ayush Tiwari <ayushtiwari(dot)slg01(at)gmail(dot)com> |
|---|---|
| To: | Paul A Jungwirth <pj(at)illuminatedcomputing(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(at)eisentraut(dot)org> |
| Subject: | Re: Enforce INSERT RLS checks for FOR PORTION OF leftovers? |
| Date: | 2026-06-05 16:46:57 |
| Message-ID: | CAJTYsWVQu7p4WoXSSyU1npTp6wz9AUiS1-HS_yKogqvQUCDuZQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Sat, 16 May 2026 at 22:20, Paul A Jungwirth <pj(at)illuminatedcomputing(dot)com>
wrote:
Skipping the RLS checks to insert the leftovers seems like the correct
> behavior to me, since we are skipping the ACL checks (per the
> standard). Shouldn't it be consistent?
>
> I think the reason we skip the checks is that semantically, the
> leftovers aren't changing anything: they are preserving the history
> that is already there.
>
> I'm happy to write a doc patch to make this explicit. Does anyone
> disagree about the correct behavior though?
>
I'd treat them separately. Skipping INSERT ACL is a standard-driven
call about command privilege; RLS WITH CHECK is a per-row predicate
on the data, and the leftover really is a new heap tuple written by
the current role.
With `WITH CHECK (name <> 'denied')` and a pre-existing 'denied' row
(loaded by COPY or before the policy), UPDATE FOR PORTION OF that
touches only the range column writes leftovers the role could not
have INSERTed directly. That's the part that bothers me, especially
since RLS tends to be deployed as a hard security boundary rather
than something users expect to opt out of per statement type.
Please correct me if I'm wrong here.
Regards,
Ayush
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Tristan Partin | 2026-06-05 16:02:22 | Re: Add per-backend lock statistics |