PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
Data Structures | Typedefs | Functions | Variables
rowsecurity.h File Reference
#include "nodes/parsenodes.h"
#include "utils/array.h"
#include "utils/relcache.h"
Include dependency graph for rowsecurity.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  RowSecurityPolicy
 
struct  RowSecurityDesc
 

Typedefs

typedef struct RowSecurityPolicy RowSecurityPolicy
 
typedef struct RowSecurityDesc RowSecurityDesc
 
typedef List *(* row_security_policy_hook_type )(CmdType cmdtype, Relation relation)
 

Functions

void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

PGDLLIMPORT
row_security_policy_hook_type 		row_security_policy_hook_permissive
 
PGDLLIMPORT
row_security_policy_hook_type 		row_security_policy_hook_restrictive
 

Typedef Documentation

typedef List*(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)

Definition at line 37 of file rowsecurity.h.

typedef struct RowSecurityDesc RowSecurityDesc
typedef struct RowSecurityPolicy RowSecurityPolicy

Function Documentation

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 107 of file rowsecurity.c.

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert, check_enable_rls(), RangeTblEntry::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), GetUserId(), heap_close, heap_open(), NIL, NoLock, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RELKIND_PARTITIONED_TABLE, RELKIND_RELATION, RangeTblEntry::requiredPerms, Query::resultRelation, RLS_NONE, RLS_NONE_ENV, WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

110 {
111  Oid user_id;
112  int rls_status;
113  Relation rel;
114  CmdType commandType;
115  List *permissive_policies;
116  List *restrictive_policies;
117 
118  /* Defaults for the return values */
119  *securityQuals = NIL;
120  *withCheckOptions = NIL;
121  *hasRowSecurity = false;
122  *hasSubLinks = false;
123 
124  /* If this is not a normal relation, just return immediately */
125  if (rte->relkind != RELKIND_RELATION &&
126  rte->relkind != RELKIND_PARTITIONED_TABLE)
127  return;
128 
129  /* Switch to checkAsUser if it's set */
130  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
131 
132  /* Determine the state of RLS for this, pass checkAsUser explicitly */
133  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
134 
135  /* If there is no RLS on this table at all, nothing to do */
136  if (rls_status == RLS_NONE)
137  return;
138 
139  /*
140  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
141  * with changes to the environment, so we mark it as hasRowSecurity to
142  * force a re-plan when the environment changes.
143  */
144  if (rls_status == RLS_NONE_ENV)
145  {
146  /*
147  * Indicate that this query may involve RLS and must therefore be
148  * replanned if the environment changes (GUCs, role), but we are not
149  * adding anything here.
150  */
151  *hasRowSecurity = true;
152 
153  return;
154  }
155 
156  /*
157  * RLS is enabled for this relation.
158  *
159  * Get the security policies that should be applied, based on the command
160  * type. Note that if this isn't the target relation, we actually want
161  * the relation's SELECT policies, regardless of the query command type,
162  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
163  * policies and t2's SELECT policies.
164  */
165  rel = heap_open(rte->relid, NoLock);
166 
167  commandType = rt_index == root->resultRelation ?
168  root->commandType : CMD_SELECT;
169 
170  /*
171  * In some cases, we need to apply USING policies (which control the
172  * visibility of records) associated with multiple command types (see
173  * specific cases below).
174  *
175  * When considering the order in which to apply these USING policies, we
176  * prefer to apply higher privileged policies, those which allow the user
177  * to lock records (UPDATE and DELETE), first, followed by policies which
178  * don't (SELECT).
179  *
180  * Note that the optimizer is free to push down and reorder quals which
181  * use leakproof functions.
182  *
183  * In all cases, if there are no policy clauses allowing access to rows in
184  * the table for the specific type of operation, then a single
185  * always-false clause (a default-deny policy) will be added (see
186  * add_security_quals).
187  */
188 
189  /*
190  * For a SELECT, if UPDATE privileges are required (eg: the user has
191  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
192  * first.
193  *
194  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
195  * which the user does not have access to via the UPDATE USING policies,
196  * similar to how we require normal UPDATE rights for these queries.
197  */
198  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
199  {
200  List *update_permissive_policies;
201  List *update_restrictive_policies;
202 
203  get_policies_for_relation(rel, CMD_UPDATE, user_id,
204  &update_permissive_policies,
205  &update_restrictive_policies);
206 
207  add_security_quals(rt_index,
208  update_permissive_policies,
209  update_restrictive_policies,
210  securityQuals,
211  hasSubLinks);
212  }
213 
214  /*
215  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
216  * policies. These security quals control access to existing table rows.
217  * Restrictive policies are combined together using AND, and permissive
218  * policies are combined together using OR.
219  */
220 
221  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
222  &restrictive_policies);
223 
224  if (commandType == CMD_SELECT ||
225  commandType == CMD_UPDATE ||
226  commandType == CMD_DELETE)
227  add_security_quals(rt_index,
228  permissive_policies,
229  restrictive_policies,
230  securityQuals,
231  hasSubLinks);
232 
233  /*
234  * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
235  * required (eg: when a RETURNING clause exists, or the user has provided
236  * a WHERE clause which involves columns from the relation), we collect up
237  * CMD_SELECT policies and add them via add_security_quals first.
238  *
239  * This way, we filter out any records which are not visible through an
240  * ALL or SELECT USING policy.
241  */
242  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
243  rte->requiredPerms & ACL_SELECT)
244  {
245  List *select_permissive_policies;
246  List *select_restrictive_policies;
247 
248  get_policies_for_relation(rel, CMD_SELECT, user_id,
249  &select_permissive_policies,
250  &select_restrictive_policies);
251 
252  add_security_quals(rt_index,
253  select_permissive_policies,
254  select_restrictive_policies,
255  securityQuals,
256  hasSubLinks);
257  }
258 
259  /*
260  * For INSERT and UPDATE, add withCheckOptions to verify that any new
261  * records added are consistent with the security policies. This will use
262  * each policy's WITH CHECK clause, or its USING clause if no explicit
263  * WITH CHECK clause is defined.
264  */
265  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
266  {
267  /* This should be the target relation */
268  Assert(rt_index == root->resultRelation);
269 
270  add_with_check_options(rel, rt_index,
271  commandType == CMD_INSERT ?
272  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
273  permissive_policies,
274  restrictive_policies,
275  withCheckOptions,
276  hasSubLinks,
277  false);
278 
279  /*
280  * Get and add ALL/SELECT policies, if SELECT rights are required for
281  * this relation (eg: when RETURNING is used). These are added as WCO
282  * policies rather than security quals to ensure that an error is
283  * raised if a policy is violated; otherwise, we might end up silently
284  * dropping rows to be added.
285  */
286  if (rte->requiredPerms & ACL_SELECT)
287  {
288  List *select_permissive_policies = NIL;
289  List *select_restrictive_policies = NIL;
290 
291  get_policies_for_relation(rel, CMD_SELECT, user_id,
292  &select_permissive_policies,
293  &select_restrictive_policies);
294  add_with_check_options(rel, rt_index,
295  commandType == CMD_INSERT ?
296  WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
297  select_permissive_policies,
298  select_restrictive_policies,
299  withCheckOptions,
300  hasSubLinks,
301  true);
302  }
303 
304  /*
305  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
306  * checks for the UPDATE which may be applied to the same RTE.
307  */
308  if (commandType == CMD_INSERT &&
309  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
310  {
311  List *conflict_permissive_policies;
312  List *conflict_restrictive_policies;
313 
314  /* Get the policies that apply to the auxiliary UPDATE */
315  get_policies_for_relation(rel, CMD_UPDATE, user_id,
316  &conflict_permissive_policies,
317  &conflict_restrictive_policies);
318 
319  /*
320  * Enforce the USING clauses of the UPDATE policies using WCOs
321  * rather than security quals. This ensures that an error is
322  * raised if the conflicting row cannot be updated due to RLS,
323  * rather than the change being silently dropped.
324  */
325  add_with_check_options(rel, rt_index,
326  WCO_RLS_CONFLICT_CHECK,
327  conflict_permissive_policies,
328  conflict_restrictive_policies,
329  withCheckOptions,
330  hasSubLinks,
331  true);
332 
333  /*
334  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
335  * to ensure they are considered when taking the UPDATE path of an
336  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
337  * for this relation, also as WCO policies, again, to avoid
338  * silently dropping data. See above.
339  */
340  if (rte->requiredPerms & ACL_SELECT)
341  {
342  List *conflict_select_permissive_policies = NIL;
343  List *conflict_select_restrictive_policies = NIL;
344 
345  get_policies_for_relation(rel, CMD_SELECT, user_id,
346  &conflict_select_permissive_policies,
347  &conflict_select_restrictive_policies);
348  add_with_check_options(rel, rt_index,
349  WCO_RLS_CONFLICT_CHECK,
350  conflict_select_permissive_policies,
351  conflict_select_restrictive_policies,
352  withCheckOptions,
353  hasSubLinks,
354  true);
355  }
356 
357  /* Enforce the WITH CHECK clauses of the UPDATE policies */
358  add_with_check_options(rel, rt_index,
359  WCO_RLS_UPDATE_CHECK,
360  conflict_permissive_policies,
361  conflict_restrictive_policies,
362  withCheckOptions,
363  hasSubLinks,
364  false);
365  }
366  }
367 
368  heap_close(rel, NoLock);
369 
370  /*
371  * Mark this query as having row security, so plancache can invalidate it
372  * when necessary (eg: role changes)
373  */
374  *hasRowSecurity = true;
375 
376  return;
377 }
NIL
#define NIL
Definition: pg_list.h:69
GetUserId
Oid GetUserId(void)
Definition: miscinit.c:284
Query::onConflict
OnConflictExpr * onConflict
Definition: parsenodes.h:142
Query::resultRelation
int resultRelation
Definition: parsenodes.h:120
RangeTblEntry::requiredPerms
AclMode requiredPerms
Definition: parsenodes.h:1047
heap_close
#define heap_close(r, l)
Definition: heapam.h:97
Oid
unsigned int Oid
Definition: postgres_ext.h:31
add_security_quals
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:566
NoLock
#define NoLock
Definition: lockdefs.h:34
add_with_check_options
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:662
OnConflictExpr::action
OnConflictAction action
Definition: primnodes.h:1487
ACL_UPDATE
#define ACL_UPDATE
Definition: parsenodes.h:74
RELKIND_PARTITIONED_TABLE
#define RELKIND_PARTITIONED_TABLE
Definition: pg_class.h:168
ACL_SELECT
#define ACL_SELECT
Definition: parsenodes.h:73
heap_open
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1290
Query::commandType
CmdType commandType
Definition: parsenodes.h:110
check_enable_rls
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:53
Assert
#define Assert(condition)
Definition: c.h:676
RELKIND_RELATION
#define RELKIND_RELATION
Definition: pg_class.h:160
RLS_NONE
Definition: rls.h:43
List
Definition: pg_list.h:45
CmdType
CmdType
Definition: nodes.h:649
get_policies_for_relation
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:388

Variable Documentation

PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_permissive

Definition at line 95 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().

PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_restrictive

Definition at line 96 of file rowsecurity.c.

Referenced by _PG_fini(), _PG_init(), and get_policies_for_relation().