diff options
| author | Stephen Frost | 2015-09-15 19:49:31 +0000 |
|---|---|---|
| committer | Stephen Frost | 2015-09-15 19:49:31 +0000 |
| commit | 22eaf35c1d247407b7cf1fffb310a26cd9b9ceb1 (patch) | |
| tree | 8cb3df9ac5809a83f0edec142f9d80c129824296 /src/test/modules | |
| parent | 000a21336b8e218deb856f73dc8972073cb8a649 (diff) | |
RLS refactoring
This refactors rewrite/rowsecurity.c to simplify the handling of the
default deny case (reducing the number of places where we check for and
add the default deny policy from three to one) by splitting up the
retrival of the policies from the application of them.
This also allowed us to do away with the policy_id field. A policy_name
field was added for WithCheckOption policies and is used in error
reporting, when available.
Patch by Dean Rasheed, with various mostly cosmetic changes by me.
Back-patch to 9.5 where RLS was introduced to avoid unnecessary
differences, since we're still in alpha, per discussion with Robert.
Diffstat (limited to 'src/test/modules')
| -rw-r--r-- | src/test/modules/test_rls_hooks/expected/test_rls_hooks.out | 10 | ||||
| -rw-r--r-- | src/test/modules/test_rls_hooks/test_rls_hooks.c | 2 |
2 files changed, 5 insertions, 7 deletions
diff --git a/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out b/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out index 4587eb014b7..88854641be5 100644 --- a/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out +++ b/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out @@ -83,7 +83,7 @@ SELECT * FROM rls_test_restrictive; INSERT INTO rls_test_restrictive VALUES ('r1','s1',10); -- failure INSERT INTO rls_test_restrictive VALUES ('r4','s4',10); -ERROR: new row violates row level security policy for "rls_test_restrictive" +ERROR: new row violates row level security policy "extension policy" for "rls_test_restrictive" SET ROLE s1; -- With only the hook's policies, both -- permissive hook's policy is current_user = username @@ -124,7 +124,7 @@ EXPLAIN (costs off) SELECT * FROM rls_test_permissive; QUERY PLAN --------------------------------------------------------------- Seq Scan on rls_test_permissive - Filter: (("current_user"() = username) OR ((data % 2) = 0)) + Filter: (((data % 2) = 0) OR ("current_user"() = username)) (2 rows) SELECT * FROM rls_test_permissive; @@ -163,7 +163,7 @@ SELECT * FROM rls_test_restrictive; INSERT INTO rls_test_restrictive VALUES ('r1','s1',8); -- failure INSERT INTO rls_test_restrictive VALUES ('r3','s3',10); -ERROR: new row violates row level security policy for "rls_test_restrictive" +ERROR: new row violates row level security policy "extension policy" for "rls_test_restrictive" -- failure INSERT INTO rls_test_restrictive VALUES ('r1','s1',7); ERROR: new row violates row level security policy for "rls_test_restrictive" @@ -176,7 +176,7 @@ EXPLAIN (costs off) SELECT * FROM rls_test_both; QUERY PLAN ------------------------------------------------------------------------------------------- Subquery Scan on rls_test_both - Filter: (("current_user"() = rls_test_both.username) OR ((rls_test_both.data % 2) = 0)) + Filter: (((rls_test_both.data % 2) = 0) OR ("current_user"() = rls_test_both.username)) -> Seq Scan on rls_test_both rls_test_both_1 Filter: ("current_user"() = supervisor) (4 rows) @@ -190,7 +190,7 @@ SELECT * FROM rls_test_both; INSERT INTO rls_test_both VALUES ('r1','s1',8); -- failure INSERT INTO rls_test_both VALUES ('r3','s3',10); -ERROR: new row violates row level security policy for "rls_test_both" +ERROR: new row violates row level security policy "extension policy" for "rls_test_both" -- failure INSERT INTO rls_test_both VALUES ('r1','s1',7); ERROR: new row violates row level security policy for "rls_test_both" diff --git a/src/test/modules/test_rls_hooks/test_rls_hooks.c b/src/test/modules/test_rls_hooks/test_rls_hooks.c index b96dbff9548..cc865cdb98b 100644 --- a/src/test/modules/test_rls_hooks/test_rls_hooks.c +++ b/src/test/modules/test_rls_hooks/test_rls_hooks.c @@ -87,7 +87,6 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation) role = ObjectIdGetDatum(ACL_ID_PUBLIC); policy->policy_name = pstrdup("extension policy"); - policy->policy_id = InvalidOid; policy->polcmd = '*'; policy->roles = construct_array(&role, 1, OIDOID, sizeof(Oid), true, 'i'); @@ -151,7 +150,6 @@ test_rls_hooks_restrictive(CmdType cmdtype, Relation relation) role = ObjectIdGetDatum(ACL_ID_PUBLIC); policy->policy_name = pstrdup("extension policy"); - policy->policy_id = InvalidOid; policy->polcmd = '*'; policy->roles = construct_array(&role, 1, OIDOID, sizeof(Oid), true, 'i'); |