Обсуждение: RLS 9.5rc1 configuration changes?
I had been using CrunchyDatas 9.4 with backported RLS but I decided since my ultimate target is 9.5 that I update to it. However now the function called for the SELECT policy is not being called. \dt shows the policy but EXPLAIN ANALYZE of a select doesn't show the filter. When I turn up debug in postghresql.conf in pgstartup.log I see the library loaded and the _PG_init function called and in the daily log I see the client auth function called each time I run psql. The only changes I made for 9.5 were to no longer set row_security to 'force' in postgresql.conf and to add: ALTER TABLE <table name> FORCE ROW LEVEL SECURITY; in addition to the: ALTER TABLE <table name> ENABLE ROW LEVEL SECURITY; which I was already doing as I want RLS to be used even for the owner of the table. Are there any other additional configuration changes needed to get RLS to work again? Ted
Ted Toth <txtoth@gmail.com> writes: > I had been using CrunchyDatas 9.4 with backported RLS but I decided > since my ultimate target is 9.5 that I update to it. However now the > function called for the SELECT policy is not being called. \dt shows > the policy but EXPLAIN ANALYZE of a select doesn't show the filter. I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the policy USING condition to be visible in EXPLAIN in 9.5. Are you perhaps testing this as a superuser? Superusers bypass RLS even with FORCE ROW LEVEL SECURITY. > ... The only > changes I made for 9.5 were to no longer set row_security to 'force' > in postgresql.conf What did you set it to instead? regards, tom lane
On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Ted Toth <txtoth@gmail.com> writes: >> I had been using CrunchyDatas 9.4 with backported RLS but I decided >> since my ultimate target is 9.5 that I update to it. However now the >> function called for the SELECT policy is not being called. \dt shows >> the policy but EXPLAIN ANALYZE of a select doesn't show the filter. > > I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the > policy USING condition to be visible in EXPLAIN in 9.5. > > Are you perhaps testing this as a superuser? Superusers bypass RLS > even with FORCE ROW LEVEL SECURITY. Yes I was a Superuser but without 'Bypass RLS'. So there's no way to enforce RLS for all users/roles? > >> ... The only >> changes I made for 9.5 were to no longer set row_security to 'force' >> in postgresql.conf > > What did you set it to instead? row_security=on. Maybe 'force' did what I wanted in Crunchy's 9.4 version :( > > regards, tom lane
Ted Toth <txtoth@gmail.com> writes: > On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Are you perhaps testing this as a superuser? Superusers bypass RLS >> even with FORCE ROW LEVEL SECURITY. > Yes I was a Superuser but without 'Bypass RLS'. So there's no way to > enforce RLS for all users/roles? There's no such thing as a "superuser without bypassrls", or a superuser without any other privilege either. That's the point of having superuser, is that you can *always* defeat privilege restrictions if you have to. I do not know if Crunchy's 9.4 mods broke that principle, but if so, it was a bug IMO. regards, tom lane