database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-26 12:21:12 +03:00
Code Activity

Row-Level Security Policies (RLS)

Browse Source 
Building on the updatable security-barrier views work, add the
ability to define policies on tables to limit the set of rows
which are returned from a query and which are allowed to be added
to a table.  Expressions defined by the policy for filtering are
added to the security barrier quals of the query, while expressions
defined to check records being added to a table are added to the
with-check options of the query.

New top-level commands are CREATE/ALTER/DROP POLICY and are
controlled by the table owner.  Row Security is able to be enabled
and disabled by the owner on a per-table basis using
ALTER TABLE .. ENABLE/DISABLE ROW SECURITY.

Per discussion, ROW SECURITY is disabled on tables by default and
must be enabled for policies on the table to be used.  If no
policies exist on a table with ROW SECURITY enabled, a default-deny
policy is used and no records will be visible.

By default, row security is applied at all times except for the
table owner and the superuser.  A new GUC, row_security, is added
which can be set to ON, OFF, or FORCE.  When set to FORCE, row
security will be applied even for the table owner and superusers.
When set to OFF, row security will be disabled when allowed and an
error will be thrown if the user does not have rights to bypass row
security.

Per discussion, pg_dump sets row_security = OFF by default to ensure
that exports and backups will have all data in the table or will
error if there are insufficient privileges to bypass row security.
A new option has been added to pg_dump, --enable-row-security, to
ask pg_dump to export with row security enabled.

A new role capability, BYPASSRLS, which can only be set by the
superuser, is added to allow other users to be able to bypass row
security using row_security = OFF.

Many thanks to the various individuals who have helped with the
design, particularly Robert Haas for his feedback.

Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean
Rasheed, with additional changes and rework by me.

Reviewers have included all of the above, Greg Smith,
Jeff McCormick, and Robert Haas.
This commit is contained in:
Stephen Frost
2014-09-19 11:18:35 -04:00
parent e5603a2f35
commit 491c029dbc
82 changed files with 7285 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
src/backend/parser/gram.y
View File

@ -231,7 +231,7 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
AlterObjectSchemaStmt AlterOwnerStmt AlterSeqStmt AlterSystemStmt AlterTableStmt
AlterTblSpcStmt AlterExtensionStmt AlterExtensionContentsStmt AlterForeignTableStmt
AlterCompositeTypeStmt AlterUserStmt AlterUserMappingStmt AlterUserSetStmt
AlterRoleStmt AlterRoleSetStmt
AlterRoleStmt AlterRoleSetStmt AlterPolicyStmt
AlterDefaultPrivilegesStmt DefACLAction
AnalyzeStmt ClosePortalStmt ClusterStmt CommentStmt
ConstraintsSetStmt CopyStmt CreateAsStmt CreateCastStmt
@ -240,11 +240,11 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
CreateSchemaStmt CreateSeqStmt CreateStmt CreateTableSpaceStmt
CreateFdwStmt CreateForeignServerStmt CreateForeignTableStmt
CreateAssertStmt CreateTrigStmt CreateEventTrigStmt
CreateUserStmt CreateUserMappingStmt CreateRoleStmt
CreateUserStmt CreateUserMappingStmt CreateRoleStmt CreatePolicyStmt
CreatedbStmt DeclareCursorStmt DefineStmt DeleteStmt DiscardStmt DoStmt
DropGroupStmt DropOpClassStmt DropOpFamilyStmt DropPLangStmt DropStmt
DropAssertStmt DropTrigStmt DropRuleStmt DropCastStmt DropRoleStmt
DropUserStmt DropdbStmt DropTableSpaceStmt DropFdwStmt
DropPolicyStmt DropUserStmt DropdbStmt DropTableSpaceStmt DropFdwStmt
DropForeignServerStmt DropUserMappingStmt ExplainStmt FetchStmt
GrantStmt GrantRoleStmt ImportForeignSchemaStmt IndexStmt InsertStmt
ListenStmt LoadStmt LockStmt NotifyStmt ExplainableStmt PreparableStmt
@ -319,6 +319,10 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
%type <str> all_Op MathOp
%type <str> row_security_cmd RowSecurityDefaultForCmd
%type <node> RowSecurityOptionalWithCheck RowSecurityOptionalExpr
%type <list> RowSecurityDefaultToRole RowSecurityOptionalToRole
%type <str> iso_level opt_encoding
%type <node> grantee
%type <list> grantee_list
@ -589,7 +593,7 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
OBJECT_P OF OFF OFFSET OIDS ON ONLY OPERATOR OPTION OPTIONS OR
ORDER ORDINALITY OUT_P OUTER_P OVER OVERLAPS OVERLAY OWNED OWNER
PARSER PARTIAL PARTITION PASSING PASSWORD PLACING PLANS POSITION
PARSER PARTIAL PARTITION PASSING PASSWORD PLACING PLANS POLICY POSITION
PRECEDING PRECISION PRESERVE PREPARE PREPARED PRIMARY
PRIOR PRIVILEGES PROCEDURAL PROCEDURE PROGRAM
@ -740,6 +744,7 @@ stmt :
| AlterGroupStmt
| AlterObjectSchemaStmt
| AlterOwnerStmt
| AlterPolicyStmt
| AlterSeqStmt
| AlterSystemStmt
| AlterTableStmt
@ -774,6 +779,7 @@ stmt :
| CreateOpClassStmt
| CreateOpFamilyStmt
| AlterOpFamilyStmt
| CreatePolicyStmt
| CreatePLangStmt
| CreateSchemaStmt
| CreateSeqStmt
@ -799,6 +805,7 @@ stmt :
| DropOpClassStmt
| DropOpFamilyStmt
| DropOwnedStmt
| DropPolicyStmt
| DropPLangStmt
| DropRuleStmt
| DropStmt
@ -957,6 +964,10 @@ AlterOptRoleElem:
$$ = makeDefElem("canlogin", (Node *)makeInteger(TRUE));
else if (strcmp($1, "nologin") == 0)
$$ = makeDefElem("canlogin", (Node *)makeInteger(FALSE));
else if (strcmp($1, "bypassrls") == 0)
$$ = makeDefElem("bypassrls", (Node *)makeInteger(TRUE));
else if (strcmp($1, "nobypassrls") == 0)
$$ = makeDefElem("bypassrls", (Node *)makeInteger(FALSE));
else if (strcmp($1, "noinherit") == 0)
{
/*
@ -2302,6 +2313,20 @@ alter_table_cmd:
n->def = $3;
$$ = (Node *)n;
}
/* ALTER TABLE <name> ENABLE ROW LEVEL SECURITY */
| ENABLE_P ROW LEVEL SECURITY
{
AlterTableCmd *n = makeNode(AlterTableCmd);
n->subtype = AT_EnableRowSecurity;
$$ = (Node *)n;
}
/* ALTER TABLE <name> DISABLE ROW LEVEL SECURITY */
| DISABLE_P ROW LEVEL SECURITY
{
AlterTableCmd *n = makeNode(AlterTableCmd);
n->subtype = AT_DisableRowSecurity;
$$ = (Node *)n;
}
| alter_generic_options
{
AlterTableCmd *n = makeNode(AlterTableCmd);
@ -4495,6 +4520,105 @@ AlterUserMappingStmt: ALTER USER MAPPING FOR auth_ident SERVER name alter_generi
}
;
/*****************************************************************************
*
* QUERIES:
* CREATE POLICY name ON table FOR cmd TO role USING (qual)
* WITH CHECK (with_check)
* ALTER POLICY name ON table FOR cmd TO role USING (qual)
* WITH CHECK (with_check)
* DROP POLICY name ON table
*
*****************************************************************************/
CreatePolicyStmt:
CREATE POLICY name ON qualified_name RowSecurityDefaultForCmd
RowSecurityDefaultToRole RowSecurityOptionalExpr
RowSecurityOptionalWithCheck
{
CreatePolicyStmt *n = makeNode(CreatePolicyStmt);
n->policy_name = $3;
n->table = $5;
n->cmd = $6;
n->roles = $7;
n->qual = $8;
n->with_check = $9;
$$ = (Node *) n;
}
;
AlterPolicyStmt:
ALTER POLICY name ON qualified_name RowSecurityOptionalToRole
RowSecurityOptionalExpr RowSecurityOptionalWithCheck
{
AlterPolicyStmt *n = makeNode(AlterPolicyStmt);
n->policy_name = $3;
n->table = $5;
n->roles = $6;
n->qual = $7;
n->with_check = $8;
$$ = (Node *) n;
}
;
DropPolicyStmt:
DROP POLICY name ON any_name opt_drop_behavior
{
DropStmt *n = makeNode(DropStmt);
n->removeType = OBJECT_POLICY;
n->objects = list_make1(lappend($5, makeString($3)));
n->arguments = NIL;
n->behavior = $6;
n->missing_ok = false;
n->concurrent = false;
$$ = (Node *) n;
}
| DROP POLICY IF_P EXISTS name ON any_name opt_drop_behavior
{
DropStmt *n = makeNode(DropStmt);
n->removeType = OBJECT_POLICY;
n->objects = list_make1(lappend($7, makeString($5)));
n->arguments = NIL;
n->behavior = $8;
n->missing_ok = true;
n->concurrent = false;
$$ = (Node *) n;
}
;
RowSecurityOptionalExpr:
USING '(' a_expr ')' { $$ = $3; }
| /* EMPTY */ { $$ = NULL; }
;
RowSecurityOptionalWithCheck:
WITH CHECK '(' a_expr ')' { $$ = $4; }
| /* EMPTY */ { $$ = NULL; }
;
RowSecurityDefaultToRole:
TO role_list { $$ = $2; }
| /* EMPTY */ { $$ = list_make1(makeString("public")); }
;
RowSecurityOptionalToRole:
TO role_list { $$ = $2; }
| /* EMPTY */ { $$ = NULL; }
;
RowSecurityDefaultForCmd:
FOR row_security_cmd { $$ = $2; }
| /* EMPTY */ { $$ = "all"; }
;
row_security_cmd:
ALL { $$ = "all"; }
| SELECT { $$ = "select"; }
| INSERT { $$ = "insert"; }
| UPDATE { $$ = "update"; }
| DELETE_P { $$ = "delete"; }
;
/*****************************************************************************
*
* QUERIES :
@ -7240,6 +7364,26 @@ RenameStmt: ALTER AGGREGATE func_name aggr_args RENAME TO name
n->missing_ok = false;
$$ = (Node *)n;
}
| ALTER POLICY name ON qualified_name RENAME TO name
{
RenameStmt *n = makeNode(RenameStmt);
n->renameType = OBJECT_POLICY;
n->relation = $5;
n->subname = $3;
n->newname = $8;
n->missing_ok = false;
$$ = (Node *)n;
}
| ALTER POLICY IF_P EXISTS name ON qualified_name RENAME TO name
{
RenameStmt *n = makeNode(RenameStmt);
n->renameType = OBJECT_POLICY;
n->relation = $7;
n->subname = $5;
n->newname = $10;
n->missing_ok = true;
$$ = (Node *)n;
}
| ALTER SCHEMA name RENAME TO name
{
RenameStmt *n = makeNode(RenameStmt);
@ -13036,6 +13180,7 @@ unreserved_keyword:
| PASSING
| PASSWORD
| PLANS
| POLICY
| PRECEDING
| PREPARE
| PREPARED