Re: [HACKERS] RLS policy not getting honer while pg_dump ondeclarative partition

On 2017/06/17 9:20, Stephen Frost wrote:
> Greetings,
> 
> * Rushabh Lathia (rushabh.lathia@gmail.com) wrote:
>> While doing some testing I noticed that RLS policy not getting honer
>> while pg_dump on declarative partition.
>>
>> I can understand that while doing SELECT on individual child
>> table, policy of parent is not getting applied. But is this desirable
>> behaviour? I think for partitions, any policy on the root table should
>> get redirect to the child, thoughts?
>>
>> If current behaviour is desirable then atleast we should document this.
> 
> The current behaviour matches how the GRANT system works, unless it's
> been changed as part of the partitioning patches, we don't check the
> privileges on tthe parent to see if an individual has access to the
> child.

The partitioning patch itself (either f0e44751d71 or any subsequent
patches) didn't change any of how that works.  One would get the same
behavior as one would with inheritance, as described in the inheritance
section:

https://www.postgresql.org/docs/devel/static/ddl-inherit.html

"Inherited queries perform access permission checks on the parent table
only. Thus, for example, granting UPDATE permission on the cities table
implies permission to update rows in the capitals table as well, when they
are accessed through cities. This preserves the appearance that the data
is (also) in the parent table. But the capitals table could not be updated
directly without an additional grant. In a similar way, the parent table's
row security policies (see Section 5.7) are applied to rows coming from
child tables during an inherited query. A child table's policies, if any,
are applied only when it is the table explicitly named in the query; and
in that case, any policies attached to its parent(s) are ignored."

> I think we could certainly consider if this behavior is desirable in a
> system which includes partitioning instead of inheritance,

Do we want CREATE POLICY foo ON parent creating the policy objects for all
the partitions?  That is, cascade the policy object definition?

> but if we
> wish to do so then I think we should be considering if the GRANT system
> should also be changed as I do feel the two should be consistent.

IIUC, you are saying here that GRANT should be taught to cascade the
permission grant/revokes to partitions.


Also, the somewhat related nearby discussion about dumping the partition
data through the root parent will perhaps have to think about some of
these things.  Dumping data through the root table will take care of the
problem that Rushabh is complaining about, because only rows visible per
the parent's policies would be dumped.  Of course then the the set of rows
dumped will be different from what it is today, because one would expect
that a different set of policies would get applied - the root table's
policies when dumping data through it vs. the individual partitions'
policies when dumping data per partition.

Thanks,
Amit