diff options
| author | Stephen Frost | 2016-12-05 20:50:55 +0000 |
|---|---|---|
| committer | Stephen Frost | 2016-12-05 20:50:55 +0000 |
| commit | 093129c9d9fc231649b3cc27b8086443ccbbbc22 (patch) | |
| tree | 5e41352a48f7a33a68687623da2fb48dce9b9174 /src/include | |
| parent | 2bbdc6875d03bb826a4fd113eac45a72c68bc929 (diff) | |
Add support for restrictive RLS policies
We have had support for restrictive RLS policies since 9.5, but they
were only available through extensions which use the appropriate hooks.
This adds support into the grammer, catalog, psql and pg_dump for
restrictive RLS policies, thus reducing the cases where an extension is
necessary.
In passing, also move away from using "AND"d and "OR"d in comments.
As pointed out by Alvaro, it's not really appropriate to attempt
to make verbs out of "AND" and "OR", so reword those comments which
attempted to.
Reviewed By: Jeevan Chalke, Dean Rasheed
Discussion: https://postgr.es/m/20160901063404.GY4028@tamriel.snowman.net
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/catalog/pg_policy.h | 16 | ||||
| -rw-r--r-- | src/include/nodes/parsenodes.h | 1 | ||||
| -rw-r--r-- | src/include/rewrite/rowsecurity.h | 1 |
3 files changed, 11 insertions, 7 deletions
diff --git a/src/include/catalog/pg_policy.h b/src/include/catalog/pg_policy.h index d73e9c2c1ac..67b5fb5cd26 100644 --- a/src/include/catalog/pg_policy.h +++ b/src/include/catalog/pg_policy.h @@ -23,6 +23,7 @@ CATALOG(pg_policy,3256) NameData polname; /* Policy name. */ Oid polrelid; /* Oid of the relation with policy. */ char polcmd; /* One of ACL_*_CHR, or '*' for all */ + bool polpermissive; /* restrictive or permissive policy */ #ifdef CATALOG_VARLEN Oid polroles[1]; /* Roles associated with policy, not-NULL */ @@ -42,12 +43,13 @@ typedef FormData_pg_policy *Form_pg_policy; * compiler constants for pg_policy * ---------------- */ -#define Natts_pg_policy 6 -#define Anum_pg_policy_polname 1 -#define Anum_pg_policy_polrelid 2 -#define Anum_pg_policy_polcmd 3 -#define Anum_pg_policy_polroles 4 -#define Anum_pg_policy_polqual 5 -#define Anum_pg_policy_polwithcheck 6 +#define Natts_pg_policy 7 +#define Anum_pg_policy_polname 1 +#define Anum_pg_policy_polrelid 2 +#define Anum_pg_policy_polcmd 3 +#define Anum_pg_policy_polpermissive 4 +#define Anum_pg_policy_polroles 5 +#define Anum_pg_policy_polqual 6 +#define Anum_pg_policy_polwithcheck 7 #endif /* PG_POLICY_H */ diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h index 04b1c2f2d43..f8003e46f3a 100644 --- a/src/include/nodes/parsenodes.h +++ b/src/include/nodes/parsenodes.h @@ -2077,6 +2077,7 @@ typedef struct CreatePolicyStmt char *policy_name; /* Policy's name */ RangeVar *table; /* the table name the policy applies to */ char *cmd_name; /* the command name the policy applies to */ + bool permissive; /* restrictive or permissive policy */ List *roles; /* the roles associated with the policy */ Node *qual; /* the policy's condition */ Node *with_check; /* the policy's WITH CHECK condition. */ diff --git a/src/include/rewrite/rowsecurity.h b/src/include/rewrite/rowsecurity.h index fd0cbaff596..2f3db8cf415 100644 --- a/src/include/rewrite/rowsecurity.h +++ b/src/include/rewrite/rowsecurity.h @@ -22,6 +22,7 @@ typedef struct RowSecurityPolicy char *policy_name; /* Name of the policy */ char polcmd; /* Type of command policy is for */ ArrayType *roles; /* Array of roles policy is for */ + bool permissive; /* restrictive or permissive policy */ Expr *qual; /* Expression to filter rows */ Expr *with_check_qual; /* Expression to limit rows allowed */ bool hassublinks; /* If either expression has sublinks */ |