Robert,
* Robert Haas (robertmhaas@gmail.com) wrote:
> FORCE ROW LEVEL SECURITY doesn't behave as I would expect.
>
> rhaas=# create policy hideit on foo1 using (a < 3);
> CREATE POLICY
> rhaas=# explain select * from foo1;
> QUERY PLAN
> ---------------------------------------------------------
> Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
> (1 row)
> rhaas=# alter table foo force row level security;
> ALTER TABLE
> rhaas=# alter table foo1 enable row level security;
> ALTER TABLE
> rhaas=# explain select * from foo1;
> QUERY PLAN
> ---------------------------------------------------------
> Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
> (1 row)
> rhaas=# create user bob;
> CREATE ROLE
> rhaas=# grant select on foo1 to bob;
> GRANT
> rhaas=# \c - bob
> You are now connected to database "rhaas" as user "bob".
> rhaas=> select * from foo1;
> a | b
> ---+---
> (0 rows)
>
> rhaas=> explain select * from foo1;
> QUERY PLAN
> --------------------------------------------------------
> Seq Scan on foo1 (cost=0.00..25.88 rows=423 width=36)
> Filter: (a < 3)
> (2 rows)
>
> Isn't the whole purpose of FORCE ROW LEVEL SECURITY to cause RLS to be
> applied even for the table owner?
Did you enable RLS for the table?
You need to do both ENABLE and FORCE if you want it to apply to owners.
There are regressions tests which should demonstrate that, if it helps.
Happy to work through the issue also though.
Thanks!
Stephen