On 05/30/2016 01:56 PM, Joe Conway wrote: > On 05/26/2016 12:26 AM, Dean Rasheed wrote: >> On 25 May 2016 at 02:04, Joe Conway <[email protected]> wrote: >>> Please see attached two proposed patches for the docs related to RLS: >>> >>> 1) Correction to pg_restore >>> 2) Additional mentions that "COPY FROM" does not allow RLS to be enabled >>> >>> Comments? >>> >> >> The pg_restore change looks good -- that was clearly wrong. >> >> Also, +1 for the new note in pg_dump. > > Great, thanks! > >> For COPY, I think perhaps it would be more logical to put the new note >> immediately after the third note which describes the privileges >> required, since it's kind of related, and then we can talk about the >> RLS policies required, e.g.: >> >> If row-level security is enabled for the table, COPY table TO is >> internally converted to COPY (SELECT * FROM table) TO, and the >> relevant security policies are applied. Currently, COPY FROM is not >> supported for tables with row-level security. > > This sounds better than what I had, so I will do it that way.
Apologies for the delay, but new patch attached. Assuming no more comments, will commit this, backpatched to 9.5, in a day or two. Thanks, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
diff --git a/doc/src/sgml/ref/copy.sgml b/doc/src/sgml/ref/copy.sgml
index 07e2f45..af15fd1 100644
*** a/doc/src/sgml/ref/copy.sgml
--- b/doc/src/sgml/ref/copy.sgml
*************** COPY <replaceable class="parameter">coun
*** 419,424 ****
--- 419,434 ----
</para>
<para>
+ If row-level security is enabled for the table, <literal>COPY
+ <replaceable class="parameter">table</> TO</literal> is
+ internally converted to <literal>COPY (SELECT * FROM
+ <replaceable class="parameter">table</>) TO ...</literal>,
+ and the relevant security policies are applied. Currently,
+ <command>COPY FROM</command> is not supported for tables with row-level
+ security. Use equivalent <command>INSERT</command> statements instead.
+ </para>
+
+ <para>
Files named in a <command>COPY</command> command are read or written
directly by the server, not by the client application. Therefore,
they must reside on or be accessible to the database server machine,
diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
index be1b684..4fa925c 100644
*** a/doc/src/sgml/ref/pg_dump.sgml
--- b/doc/src/sgml/ref/pg_dump.sgml
*************** PostgreSQL documentation
*** 699,704 ****
--- 699,709 ----
to dump the parts of the contents of the table that they have access to.
</para>
+ <para>
+ Note that if you use this option currently, you probably also want
+ the dump be in <command>INSERT</command> format, as the
+ <command>COPY FROM</command> during restore does not support row security.
+ </para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml
index c906919..ef5bab4 100644
*** a/doc/src/sgml/ref/pg_restore.sgml
--- b/doc/src/sgml/ref/pg_restore.sgml
***************
*** 527,533 ****
<para>
Note that this option currently also requires the dump be in <command>INSERT</command>
! format, as <command>COPY TO</command> does not support row security.
</para>
</listitem>
</varlistentry>
--- 527,533 ----
<para>
Note that this option currently also requires the dump be in <command>INSERT</command>
! format, as <command>COPY FROM</command> does not support row security.
</para>
</listitem>
</varlistentry>
signature.asc
Description: OpenPGP digital signature
