rls.c File Reference

#include "postgres.h"
#include "access/htup.h"
#include "access/htup_details.h"
#include "access/transam.h"
#include "catalog/namespace.h"
#include "catalog/pg_class.h"
#include "miscadmin.h"
#include "utils/acl.h"
#include "utils/fmgrprotos.h"
#include "utils/lsyscache.h"
#include "utils/rls.h"
#include "utils/syscache.h"
#include "utils/varlena.h"

Include dependency graph for rls.c:

Go to the source code of this file.

Functions
int	check_enable_rls (Oid relid, Oid checkAsUser, bool noError)
Datum	row_security_active (PG_FUNCTION_ARGS)
Datum	row_security_active_name (PG_FUNCTION_ARGS)

Function Documentation

check_enable_rls()

int check_enable_rls	(	Oid	relid,
		Oid	checkAsUser,
		bool	noError
	)

Definition at line 52 of file rls.c.

{
    Oid         user_id = OidIsValid(checkAsUser) ? checkAsUser : GetUserId();
    HeapTuple   tuple;
    Form_pg_class classform;
    bool        relrowsecurity;
    bool        relforcerowsecurity;
    bool        amowner;
 
    /* Nothing to do for built-in relations */
    if (relid < (Oid) FirstNormalObjectId)
        return RLS_NONE;
 
    /* Fetch relation's relrowsecurity and relforcerowsecurity flags */
    tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relid));
    if (!HeapTupleIsValid(tuple))
        return RLS_NONE;
    classform = (Form_pg_class) GETSTRUCT(tuple);
 
    relrowsecurity = classform->relrowsecurity;
    relforcerowsecurity = classform->relforcerowsecurity;
 
    ReleaseSysCache(tuple);
 
    /* Nothing to do if the relation does not have RLS */
    if (!relrowsecurity)
        return RLS_NONE;
 
    /*
     * BYPASSRLS users always bypass RLS.  Note that superusers are always
     * considered to have BYPASSRLS.
     *
     * Return RLS_NONE_ENV to indicate that this decision depends on the
     * environment (in this case, the user_id).
     */
    if (has_bypassrls_privilege(user_id))
        return RLS_NONE_ENV;
 
    /*
     * Table owners generally bypass RLS, except if the table has been set (by
     * an owner) to FORCE ROW SECURITY, and this is not a referential
     * integrity check.
     *
     * Return RLS_NONE_ENV to indicate that this decision depends on the
     * environment (in this case, the user_id).
     */
    amowner = object_ownercheck(RelationRelationId, relid, user_id);
    if (amowner)
    {
        /*
         * If FORCE ROW LEVEL SECURITY has been set on the relation then we
         * should return RLS_ENABLED to indicate that RLS should be applied.
         * If not, or if we are in an InNoForceRLSOperation context, we return
         * RLS_NONE_ENV.
         *
         * InNoForceRLSOperation indicates that we should not apply RLS even
         * if the table has FORCE RLS set - IF the current user is the owner.
         * This is specifically to ensure that referential integrity checks
         * are able to still run correctly.
         *
         * This is intentionally only done after we have checked that the user
         * is the table owner, which should always be the case for referential
         * integrity checks.
         */
        if (!relforcerowsecurity || InNoForceRLSOperation())
            return RLS_NONE_ENV;
    }
 
    /*
     * We should apply RLS.  However, the user may turn off the row_security
     * GUC to get a forced error instead.
     */
    if (!row_security && !noError)
        ereport(ERROR,
                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                 errmsg("query would be affected by row-level security policy for table \"%s\"",
                        get_rel_name(relid)),
                 amowner ? errhint("To disable the policy for the table's owner, use ALTER TABLE NO FORCE ROW LEVEL SECURITY.") : 0));
 
    /* RLS should be fully enabled for this relation. */
    return RLS_ENABLED;
}

References ereport, errcode(), errhint(), errmsg(), ERROR, FirstNormalObjectId, get_rel_name(), GETSTRUCT(), GetUserId(), has_bypassrls_privilege(), HeapTupleIsValid, InNoForceRLSOperation(), object_ownercheck(), ObjectIdGetDatum(), OidIsValid, ReleaseSysCache(), RLS_ENABLED, RLS_NONE, RLS_NONE_ENV, row_security, and SearchSysCache1().

Referenced by BuildIndexValueDescription(), DoCopy(), ExecBuildSlotPartitionKeyDescription(), ExecBuildSlotValueDescription(), get_row_security_policies(), intorel_startup(), LogicalRepSyncTableStart(), ri_ReportViolation(), row_security_active(), row_security_active_name(), and TargetPrivilegesCheck().

row_security_active()

Datum row_security_active

(

PG_FUNCTION_ARGS

)

Definition at line 142 of file rls.c.

{
    /* By OID */
    Oid         tableoid = PG_GETARG_OID(0);
    int         rls_status;
 
    rls_status = check_enable_rls(tableoid, InvalidOid, true);
    PG_RETURN_BOOL(rls_status == RLS_ENABLED);
}

References check_enable_rls(), InvalidOid, PG_GETARG_OID, PG_RETURN_BOOL, and RLS_ENABLED.

row_security_active_name()

Datum row_security_active_name

(

PG_FUNCTION_ARGS

)

Definition at line 153 of file rls.c.

{
    /* By qualified name */
    text       *tablename = PG_GETARG_TEXT_PP(0);
    RangeVar   *tablerel;
    Oid         tableoid;
    int         rls_status;
 
    /* Look up table name.  Can't lock it - we might not have privileges. */
    tablerel = makeRangeVarFromNameList(textToQualifiedNameList(tablename));
    tableoid = RangeVarGetRelid(tablerel, NoLock, false);
 
    rls_status = check_enable_rls(tableoid, InvalidOid, true);
    PG_RETURN_BOOL(rls_status == RLS_ENABLED);
}

References check_enable_rls(), InvalidOid, makeRangeVarFromNameList(), NoLock, PG_GETARG_TEXT_PP, PG_RETURN_BOOL, RangeVarGetRelid, RLS_ENABLED, and textToQualifiedNameList().