RLS: Keep deny policy when only restrictive exist

Only remove the default deny policy when a permissive policy exists (either from the hook or defined by the user). If only restrictive policies exist then no rows will be visible, as restrictive policies shouldn't make rows visible. To address this requirement, a single "USING (true)" permissive policy can be created. Update the test_rls_hooks regression tests to create the necessary "USING (true)" permissive policy. Back-patch to 9.5 where RLS was added. Per discussion with Dean.
2025-07-03 20:02:46 +03:00 · 2015-08-03 15:32:49 -04:00
parent ecc2d16bc9
commit dee0200f02
4 changed files with 30 additions and 4 deletions
--- a/src/test/modules/test_rls_hooks/test_rls_hooks.c
+++ b/src/test/modules/test_rls_hooks/test_rls_hooks.c
@ -119,6 +119,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)

 /*
 * Return restrictive policies to be added
+ *
+ * Note that a permissive policy must exist or the default-deny policy
+ * will be included and nothing will be visible.  If no filtering should
+ * be done except for the restrictive policy, then a single "USING (true)"
+ * permissive policy can be used; see the regression tests.
 */
 List *
 test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)