Обсуждение: Re: RLS Design

Поиск
Список
Период
Сортировка

Re: RLS Design

От
"Brightwell, Adam"
Дата:
Thom,

Also, I seem to get an error message with the following:

# create policy nice_colours ON colours for all to joe using (visible = true) with check (name in ('blue','green','yellow'));
CREATE POLICY

\c - joe

> insert into colours (name, visible) values ('blue',false);
ERROR:  function with OID 0 does not exist

And if this did work, but I only violated the USING clause, would this still say the WITH CHECK clause was the cause?

Since RLS is built on top of  the same mechanisms used for Security Barrier Views, I figured I would check this case against that and, for the heck of it, regular VIEWs as well.  The result is the same error in both cases (below and attached).  I also verified that this issue exists for 9.4beta2 and the current REL9_4_STABLE branch.  If this isn't the expected behavior (I can't imagine that it is), I am certainly willing to dive into it further and see what I can determine for a solution/recommendation.  At any rate, this appears to be a previously existing issue with WITH CHECK OPTION.  Thoughts?

postgres=# DROP TABLE IF EXISTS colors CASCADE;
NOTICE:  table "colors" does not exist, skipping
DROP TABLE
postgres=# DROP ROLE IF EXISTS joe;
DROP ROLE
postgres=# CREATE ROLE joe LOGIN;
CREATE ROLE
postgres=# CREATE TABLE colors (name text, visible bool);
CREATE TABLE
postgres=# CREATE OR REPLACE VIEW v_colors_1 WITH (security_barrier) AS
postgres-#     SELECT * FROM colors WHERE (name in ('blue', 'green', 'yellow'))
postgres-#     WITH CHECK OPTION;
CREATE VIEW
postgres=# CREATE OR REPLACE VIEW v_colors_2 AS
postgres-#     SELECT * FROM colors WHERE (name in ('blue', 'green', 'yellow'))
postgres-#     WITH CHECK OPTION;
CREATE VIEW
postgres=# GRANT ALL ON v_colors_1, v_colors_2 TO joe;
GRANT
postgres=# \c - joe
You are now connected to database "postgres" as user "joe". 
postgres=> INSERT INTO v_colors_1 (name, visible) VALUES ('blue', false);
ERROR:  function with OID 0 does not exist
postgres=> INSERT INTO v_colors_2 (name, visible) VALUES ('blue', false);
ERROR:  function with OID 0 does not exist

Thanks,
Adam

--
Вложения

Re: RLS Design

От
Andrew Gierth
Дата:
>>>>> "Adam" == Brightwell, Adam <adam.brightwell@crunchydatasolutions.com> writes:
Adam> At any rate, this appears to be a previously existing issueAdam> with WITH CHECK OPTION.  Thoughts?

It's definitely an existing issue; you can reproduce it more simply,
no need to mess with different users.

The issue as far as I can tell is that the withCheckOption exprs are
not being processed anywhere in setrefs.c, so it only works at all by
pure fluke: for most operators, the opfuncid is also filled in by
eval_const_expressions, but for whatever reason SAOPs escape this
treatment. Same goes for other similar cases:

create table colors (name text);
create view vc1 as select * from colors where name is distinct from 'grue' with check option;
create view vc2 as select * from colors where name in ('red','green','blue') with check option;
create view vc3 as select * from colors where nullif(name,'grue') is null with check option;

insert into vc1 values ('red'); -- fails
insert into vc2 values ('red'); -- fails
insert into vc3 values ('red'); -- fails

(Also, commands/policy.c has two instances of "const char" as a
function return type, which is a compiler warning since the "const" is
meaningless.)

-- 
Andrew (irc:RhodiumToad)