psql: Add leakproof indicator to \df+, \do+, \dAo+, and \dC+ output.

This allows users to determine whether particular functions are leakproof, and whether the underlying functions used by operators and casts are leakproof. This is useful to determine whether indexes can be used in queries on security barrier views or tables with row-level security policies. Yugo Nagata, reviewed by Erik Wienhold and Dean Rasheed. Discussion: https://postgr.es/m/20240701220817.483f9b645b95611f8b1f65da%40sranhm.sraoss.co.jp
2025-07-27 12:41:57 +03:00 · 2025-01-14 13:23:24 +00:00
parent af8cd1639a
commit 2355e51110
6 changed files with 107 additions and 56 deletions
--- a/doc/src/sgml/planstats.sgml
+++ b/doc/src/sgml/planstats.sgml
@ -729,6 +729,9 @@ EXPLAIN (ANALYZE, TIMING OFF, BUFFERS OFF) SELECT * FROM t WHERE a &lt;= 49 AND
   accurately, the function that the operator is based on).  If not, then the
   selectivity estimator will behave as if no statistics are available, and
   the planner will proceed with default or fall-back assumptions.
+   The <xref linkend="app-psql"/> program's
+   <command><link linkend="app-psql-meta-command-do-lc">\do+</link></command>
+   meta-command is useful to determine which operators are marked as leakproof.
  </para>

  <para>
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@ -1420,7 +1420,8 @@ SELECT $1 \parse stmt1
        is specified, only members of operator families whose names match that
        pattern are listed.
        If <literal>+</literal> is appended to the command name, each operator
-        is listed with its sort operator family (if it is an ordering operator).
+        is listed with its sort operator family (if it is an ordering operator),
+        and whether its underlying function is leakproof.
        </para>
        </listitem>
      </varlistentry>
@ -1509,8 +1510,9 @@ SELECT $1 \parse stmt1
        If <replaceable class="parameter">pattern</replaceable>
        is specified, only casts whose source or target types match the
        pattern are listed.
-        If <literal>+</literal> is appended to the command name, each object
-        is listed with its associated description.
+        If <literal>+</literal> is appended to the command name, additional
+        information about each cast is shown, including whether its underlying
+        function is leakproof, and the cast's description.
        </para>
        </listitem>
      </varlistentry>
@ -1711,9 +1713,9 @@ SELECT $1 \parse stmt1
        modifier to include system objects.
        If the form <literal>\df+</literal> is used, additional information
        about each function is shown, including volatility,
-        parallel safety, owner, security classification, access privileges,
-        language, internal name (for C and internal functions only),
-        and description.
+        parallel safety, owner, security classification, whether it is
+        leakproof, access privileges, language, internal name (for C and
+        internal functions only), and description.
        Source code for a specific function can be seen
        using <literal>\sf</literal>.
        </para>
@ -1862,8 +1864,8 @@ SELECT $1 \parse stmt1
        pattern or the <literal>S</literal> modifier to include system
        objects.
        If <literal>+</literal> is appended to the command name,
-        additional information about each operator is shown, currently just
-        the name of the underlying function.
+        additional information about each operator is shown, including
+        the name of the underlying function, and whether it is leakproof.
        </para>
        </listitem>
      </varlistentry>
--- a/doc/src/sgml/rules.sgml
+++ b/doc/src/sgml/rules.sgml
@ -2167,6 +2167,17 @@ CREATE VIEW phone_number WITH (security_barrier) AS
    view's row filters.
 </para>

+<para>
+    For example, an index scan cannot be selected for queries on security
+    barrier views (or tables with row-level security policies) if an
+    operator used in the <literal>WHERE</literal> clause is associated with the
+    operator family of the index, but its underlying function is not marked
+    <literal>LEAKPROOF</literal>. The <xref linkend="app-psql"/> program's
+    <command><link linkend="app-psql-meta-command-dao">\dAo+</link></command>
+    meta-command is useful to list operator families and determine which of
+    their operators are marked as leakproof.
+</para>
+
 <para>
    It is important to understand that even a view created with the
    <literal>security_barrier</literal> option is intended to be secure only