| From: | Kirill Reshke <reshkekirill(at)gmail(dot)com> |
|---|---|
| To: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> |
| Cc: | Florin Irion <irionr(at)gmail(dot)com>, jian he <jian(dot)universality(at)gmail(dot)com>, Chao Li <li(dot)evan(dot)chao(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: minor error message enhance: print RLS policy name when only one permissive policy exists |
| Date: | 2026-01-07 12:45:08 |
| Message-ID: | CALdSSPh05B9J=sKj+j4+V=cXg9B2cOyVNPsiXhLH1mOkV0ruEw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 11 Nov 2025 at 22:00, Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> wrote:
>
> On Tue, 11 Nov 2025 at 14:10, Florin Irion <irionr(at)gmail(dot)com> wrote:
> >
> > The change is relevant primarily when there is a single
> > permissive policy, the most common case. When multiple policies are in place,
> > the error message remains generic, which is appropriate.
>
> I'm not entirely convinced that this is a good idea.
>
> For one thing, permissive policies grant access to the table, rather
> than denying it, so if the permissive policy checks fail, it's because
> no permissive policy granted access, not because any particular policy
> denied access. So in the special case where there happens to be
> exactly one permissive policy, it's not really accurate to say that
> one policy was violated.
>
> For another thing, this patch doesn't help at all in more complex
> cases, where there are multiple (or no) applicable policies, and
> arguably it's those cases that would benefit most from an improved
> error message. Trivial cases like the one cited at the start of this
> thread don't really need much improvement, because there is only one
> policy, so it's obvious where to look.
>
> In my experience, one of the hardest parts about figuring out why a
> RLS check failed is working out which type of policy check failed. For
> example, in an INSERT ... ON CONFLICT DO UPDATE, it might have been an
> INSERT policy check that failed for the row proposed for insertion,
> but it might also have been an UPDATE or SELECT policy for a row being
> updated. In fact, nearly all the commands check SELECT policies in
> addition to the command-specific policies. So perhaps a better
> approach would be to specify the policy command type in the error
> message (adding that as a new field to the WithCheckOption struct).
> For example, if the policy name is NULL (an OR'ed set of permissive
> policy checks), report something like this:
>
> ERROR: new row violates row-level security policy for SELECT on table "tts"
>
> Then you'd know to look at the SELECT policies, which might not
> otherwise be obvious.
>
> Regards,
> Dean
>
>
HI! I can see that review comment from Dean (about desirability of
patch) is not covered, so I changed [0] status to WOA
I also think the CF entry name is too long and it could be beneficial
to shorten it.
[0] https://commitfest.postgresql.org/patch/6180/
--
Best regards,
Kirill Reshke
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthias van de Meent | 2026-01-07 12:56:34 | Re: POC: enable logical decoding when wal_level = 'replica' without a server restart |
| Previous Message | Amit Kapila | 2026-01-07 12:01:53 | Re: Proposal: Conflict log history table for Logical Replication |