On 14 September 2014 16:38, Stephen Frost <sfr...@snowman.net> wrote:
> * Robert Haas (robertmh...@gmail.com) wrote:
> > On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost <sfr...@snowman.net>
> wrote:
> > > If we want to be able to disable RLS w/o dropping the policies, then I
> > > think we have to completely de-couple the two and users would then have
> > > both add policies AND turn on RLS to have RLS actually be enabled for a
> > > given table. I'm on the fence about that.
> > >
> > > Thoughts?
> >
> > A strong +1 for doing just that.
>
> Alright, updated patch attached which does just that (thanks to Adam
> for the updates for this and testing pg_dump- I just reviewed it and
> added some documentation updates and other minor improvements), and
> rebased to master. Also removed the catversion bump, so it should apply
> cleanly for people, for a while anyway.
>
This is testing what has been committed:
# create table colours (id serial, name text, visible boolean);
CREATE TABLE
# insert into colours (name, visible) values
('blue',true),('yellow',true),('ultraviolet',false),('green',true),('infrared',false);
INSERT 0 5
# create policy visible_colours on colours for all to joe using (visible =
true);
CREATE POLICY
# grant all on colours to public;
GRANT
# grant all on sequence colours_id_seq to public;
GRANT
# alter table colours enable row level security ;
ALTER TABLE
\c - joe
> select * from colours;
id | name | visible
----+--------+---------
1 | blue | t
2 | yellow | t
4 | green | t
(3 rows)
> insert into colours (name, visible) values ('purple',true);
INSERT 0 1
> insert into colours (name, visible) values ('transparent',false);
ERROR: new row violates WITH CHECK OPTION for "colours"
DETAIL: Failing row contains (7, transparent, f).
> select * from pg_policies ;
policyname | tablename | roles | cmd | qual | with_check
-----------------+-----------+-------+-----+------------------+------------
visible_colours | colours | {joe} | ALL | (visible = true) |
(1 row)
There was no WITH CHECK OPTION.
--
Thom
