mirror of
https://github.com/postgres/postgres.git
synced 2025-09-02 04:21:28 +03:00
Row-Level Security Policies (RLS)
Building on the updatable security-barrier views work, add the ability to define policies on tables to limit the set of rows which are returned from a query and which are allowed to be added to a table. Expressions defined by the policy for filtering are added to the security barrier quals of the query, while expressions defined to check records being added to a table are added to the with-check options of the query. New top-level commands are CREATE/ALTER/DROP POLICY and are controlled by the table owner. Row Security is able to be enabled and disabled by the owner on a per-table basis using ALTER TABLE .. ENABLE/DISABLE ROW SECURITY. Per discussion, ROW SECURITY is disabled on tables by default and must be enabled for policies on the table to be used. If no policies exist on a table with ROW SECURITY enabled, a default-deny policy is used and no records will be visible. By default, row security is applied at all times except for the table owner and the superuser. A new GUC, row_security, is added which can be set to ON, OFF, or FORCE. When set to FORCE, row security will be applied even for the table owner and superusers. When set to OFF, row security will be disabled when allowed and an error will be thrown if the user does not have rights to bypass row security. Per discussion, pg_dump sets row_security = OFF by default to ensure that exports and backups will have all data in the table or will error if there are insufficient privileges to bypass row security. A new option has been added to pg_dump, --enable-row-security, to ask pg_dump to export with row security enabled. A new role capability, BYPASSRLS, which can only be set by the superuser, is added to allow other users to be able to bypass row security using row_security = OFF. Many thanks to the various individuals who have helped with the design, particularly Robert Haas for his feedback. Authors include Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean Rasheed, with additional changes and rework by me. Reviewers have included all of the above, Greg Smith, Jeff McCormick, and Robert Haas.
This commit is contained in:
Stephen Frost
80
src/include/rewrite/rowsecurity.h
Normal file
80
src/include/rewrite/rowsecurity.h
Normal file
@@ -0,0 +1,80 @@
|
||||
/* -------------------------------------------------------------------------
|
||||
*
|
||||
* rowsecurity.h
|
||||
* prototypes for optimizer/rowsecurity.c
|
||||
*
|
||||
* Portions Copyright (c) 1996-2012, PostgreSQL Global Development Group
|
||||
* Portions Copyright (c) 1994, Regents of the University of California
|
||||
*
|
||||
* -------------------------------------------------------------------------
|
||||
*/
|
||||
#ifndef ROWSECURITY_H
|
||||
#define ROWSECURITY_H
|
||||
|
||||
#include "nodes/execnodes.h"
|
||||
#include "nodes/parsenodes.h"
|
||||
#include "nodes/relation.h"
|
||||
#include "utils/array.h"
|
||||
|
||||
typedef struct RowSecurityPolicy
|
||||
{
|
||||
Oid rsecid;
|
||||
char *policy_name;
|
||||
char cmd;
|
||||
ArrayType *roles;
|
||||
Expr *qual;
|
||||
Expr *with_check_qual;
|
||||
bool hassublinks;
|
||||
} RowSecurityPolicy;
|
||||
|
||||
typedef struct RowSecurityDesc
|
||||
{
|
||||
MemoryContext rscxt; /* row-security memory context */
|
||||
List *policies; /* list of row-security policies */
|
||||
} RowSecurityDesc;
|
||||
|
||||
/* GUC variable */
|
||||
extern int row_security;
|
||||
|
||||
/* Possible values for row_security GUC */
|
||||
typedef enum RowSecurityConfigType
|
||||
{
|
||||
ROW_SECURITY_OFF,
|
||||
ROW_SECURITY_ON,
|
||||
ROW_SECURITY_FORCE
|
||||
} RowSecurityConfigType;
|
||||
|
||||
/*
|
||||
* Used by callers of check_enable_rls.
|
||||
*
|
||||
* RLS could be completely disabled on the tables involved in the query,
|
||||
* which is the simple case, or it may depend on the current environment
|
||||
* (the role which is running the query or the value of the row_security
|
||||
* GUC- on, off, or force), or it might be simply enabled as usual.
|
||||
*
|
||||
* If RLS isn't on the table involved then RLS_NONE is returned to indicate
|
||||
* that we don't need to worry about invalidating the query plan for RLS
|
||||
* reasons. If RLS is on the table, but we are bypassing it for now, then
|
||||
* we return RLS_NONE_ENV to indicate that, if the environment changes,
|
||||
* we need to invalidate and replan. Finally, if RLS should be turned on
|
||||
* for the query, then we return RLS_ENABLED, which means we also need to
|
||||
* invalidate if the environment changes.
|
||||
*/
|
||||
enum CheckEnableRlsResult
|
||||
{
|
||||
RLS_NONE,
|
||||
RLS_NONE_ENV,
|
||||
RLS_ENABLED
|
||||
};
|
||||
|
||||
typedef List *(*row_security_policy_hook_type)(CmdType cmdtype,
|
||||
Relation relation);
|
||||
|
||||
extern PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook;
|
||||
|
||||
extern bool prepend_row_security_policies(Query* root, RangeTblEntry* rte,
|
||||
int rt_index);
|
||||
|
||||
extern int check_enable_rls(Oid relid, Oid checkAsUser);
|
||||
|
||||
#endif /* ROWSECURITY_H */
|
||||
Reference in New Issue
Block a user