Re: minor error message enhance: print RLS policy name when only one permissive policy exists
| От | jian he |
|---|---|
| Тема | Re: minor error message enhance: print RLS policy name when only one permissive policy exists |
| Дата | |
| Msg-id | CACJufxFLgm2ynPs1HZAVU6s5iV9uQAmRaQXA=rwuvTQy6bnBRA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: minor error message enhance: print RLS policy name when only one permissive policy exists (Chao Li <li.evan.chao@gmail.com>) |
| Список | pgsql-hackers |
On Tue, Oct 28, 2025 at 11:06 AM Chao Li <li.evan.chao@gmail.com> wrote: > > The attached patch did what the $subject says. > > demo: > > > > begin; > > create role alice login; > > grant all on schema public to alice; > > drop table if exists tts; > > create table tts(a int); > > grant insert on tts to alice; > > ALTER TABLE tts ENABLE ROW LEVEL SECURITY; > > CREATE POLICY p1 ON tts FOR ALL USING (a = 1 or a = 2 or a = 3); > > commit; > > > > SET ROLE alice; > > insert into tts values (4); --error > > > > old ERROR message: > > ERROR: new row violates row-level security policy for table "tts" > > > > new ERROR message: > > ERROR: new row violates row-level security policy "p1" for table "tts" > > > > There are fewer than 10 lines of C code changes, but turns out that in the > > regression tests, there are many cases where only one permissive policy exists > > for INSERT or UPDATE. > > So the patch is not smaller. > > <v1-0001-minor-RLS-violation-error-report-enhance.patch> > > I agree printing policy name to the log helps. I tried to “make" and “make check”, all passed. https://cirrus-ci.com/task/5006265459408896?logs=test_world#L145 says test_rls_hooks test failed. > > A tiny comment wrt the code comment: > > ``` > * since if the check fails it means that no policy granted permission > * to perform the update, rather than any particular policy being > * violated. > + * However, if there is only a single permissive policy clause, we can > + * include that specific policy name in error reports when the policy is > + * violated. > ``` > > * “However …” doesn’t have to go to a new line. But if you really want that, an empty comment line should be added above“However …”. See the comment of “if” that is right above this piece of code. > > * “include that specific policy name” => “include that specific policy’s name”. > ok. now the comment is * However, if there is only a single permissive policy clause, we can * include that specific policy’s name in error reports when the policy * is violated.
Вложения
В списке pgsql-hackers по дате отправления: