PostgreSQL Source Code  git master
rowsecurity.h File Reference
#include "nodes/parsenodes.h"
#include "utils/array.h"
#include "utils/relcache.h"
Include dependency graph for rowsecurity.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  RowSecurityPolicy
 
struct  RowSecurityDesc
 

Typedefs

typedef struct RowSecurityPolicy RowSecurityPolicy
 
typedef struct RowSecurityDesc RowSecurityDesc
 
typedef List *(* row_security_policy_hook_type) (CmdType cmdtype, Relation relation)
 

Functions

void get_row_security_policies (Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
 

Variables

PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_permissive
 
PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_restrictive
 

Typedef Documentation

◆ row_security_policy_hook_type

typedef List*(* row_security_policy_hook_type) (CmdType cmdtype, Relation relation)

Definition at line 37 of file rowsecurity.h.

◆ RowSecurityDesc

◆ RowSecurityPolicy

Function Documentation

◆ get_row_security_policies()

void get_row_security_policies ( Query root,
RangeTblEntry rte,
int  rt_index,
List **  securityQuals,
List **  withCheckOptions,
bool hasRowSecurity,
bool hasSubLinks 
)

Definition at line 108 of file rowsecurity.c.

111 {
112  Oid user_id;
113  int rls_status;
114  Relation rel;
115  CmdType commandType;
116  List *permissive_policies;
117  List *restrictive_policies;
118 
119  /* Defaults for the return values */
120  *securityQuals = NIL;
121  *withCheckOptions = NIL;
122  *hasRowSecurity = false;
123  *hasSubLinks = false;
124 
125  /* If this is not a normal relation, just return immediately */
126  if (rte->relkind != RELKIND_RELATION &&
127  rte->relkind != RELKIND_PARTITIONED_TABLE)
128  return;
129 
130  /* Switch to checkAsUser if it's set */
131  user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
132 
133  /* Determine the state of RLS for this, pass checkAsUser explicitly */
134  rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
135 
136  /* If there is no RLS on this table at all, nothing to do */
137  if (rls_status == RLS_NONE)
138  return;
139 
140  /*
141  * RLS_NONE_ENV means we are not doing any RLS now, but that may change
142  * with changes to the environment, so we mark it as hasRowSecurity to
143  * force a re-plan when the environment changes.
144  */
145  if (rls_status == RLS_NONE_ENV)
146  {
147  /*
148  * Indicate that this query may involve RLS and must therefore be
149  * replanned if the environment changes (GUCs, role), but we are not
150  * adding anything here.
151  */
152  *hasRowSecurity = true;
153 
154  return;
155  }
156 
157  /*
158  * RLS is enabled for this relation.
159  *
160  * Get the security policies that should be applied, based on the command
161  * type. Note that if this isn't the target relation, we actually want
162  * the relation's SELECT policies, regardless of the query command type,
163  * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
164  * policies and t2's SELECT policies.
165  */
166  rel = table_open(rte->relid, NoLock);
167 
168  commandType = rt_index == root->resultRelation ?
169  root->commandType : CMD_SELECT;
170 
171  /*
172  * In some cases, we need to apply USING policies (which control the
173  * visibility of records) associated with multiple command types (see
174  * specific cases below).
175  *
176  * When considering the order in which to apply these USING policies, we
177  * prefer to apply higher privileged policies, those which allow the user
178  * to lock records (UPDATE and DELETE), first, followed by policies which
179  * don't (SELECT).
180  *
181  * Note that the optimizer is free to push down and reorder quals which
182  * use leakproof functions.
183  *
184  * In all cases, if there are no policy clauses allowing access to rows in
185  * the table for the specific type of operation, then a single
186  * always-false clause (a default-deny policy) will be added (see
187  * add_security_quals).
188  */
189 
190  /*
191  * For a SELECT, if UPDATE privileges are required (eg: the user has
192  * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
193  * first.
194  *
195  * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
196  * which the user does not have access to via the UPDATE USING policies,
197  * similar to how we require normal UPDATE rights for these queries.
198  */
199  if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
200  {
201  List *update_permissive_policies;
202  List *update_restrictive_policies;
203 
205  &update_permissive_policies,
206  &update_restrictive_policies);
207 
208  add_security_quals(rt_index,
209  update_permissive_policies,
210  update_restrictive_policies,
211  securityQuals,
212  hasSubLinks);
213  }
214 
215  /*
216  * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
217  * policies. These security quals control access to existing table rows.
218  * Restrictive policies are combined together using AND, and permissive
219  * policies are combined together using OR.
220  */
221 
222  get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
223  &restrictive_policies);
224 
225  if (commandType == CMD_SELECT ||
226  commandType == CMD_UPDATE ||
227  commandType == CMD_DELETE)
228  add_security_quals(rt_index,
229  permissive_policies,
230  restrictive_policies,
231  securityQuals,
232  hasSubLinks);
233 
234  /*
235  * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
236  * are also required (eg: when a RETURNING clause exists, or the user has
237  * provided a WHERE clause which involves columns from the relation), we
238  * collect up CMD_SELECT policies and add them via add_security_quals
239  * first.
240  *
241  * This way, we filter out any records which are not visible through an
242  * ALL or SELECT USING policy.
243  */
244  if ((commandType == CMD_UPDATE || commandType == CMD_DELETE ||
245  commandType == CMD_MERGE) &&
246  rte->requiredPerms & ACL_SELECT)
247  {
248  List *select_permissive_policies;
249  List *select_restrictive_policies;
250 
252  &select_permissive_policies,
253  &select_restrictive_policies);
254 
255  add_security_quals(rt_index,
256  select_permissive_policies,
257  select_restrictive_policies,
258  securityQuals,
259  hasSubLinks);
260  }
261 
262  /*
263  * For INSERT and UPDATE, add withCheckOptions to verify that any new
264  * records added are consistent with the security policies. This will use
265  * each policy's WITH CHECK clause, or its USING clause if no explicit
266  * WITH CHECK clause is defined.
267  */
268  if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
269  {
270  /* This should be the target relation */
271  Assert(rt_index == root->resultRelation);
272 
273  add_with_check_options(rel, rt_index,
274  commandType == CMD_INSERT ?
276  permissive_policies,
277  restrictive_policies,
278  withCheckOptions,
279  hasSubLinks,
280  false);
281 
282  /*
283  * Get and add ALL/SELECT policies, if SELECT rights are required for
284  * this relation (eg: when RETURNING is used). These are added as WCO
285  * policies rather than security quals to ensure that an error is
286  * raised if a policy is violated; otherwise, we might end up silently
287  * dropping rows to be added.
288  */
289  if (rte->requiredPerms & ACL_SELECT)
290  {
291  List *select_permissive_policies = NIL;
292  List *select_restrictive_policies = NIL;
293 
295  &select_permissive_policies,
296  &select_restrictive_policies);
297  add_with_check_options(rel, rt_index,
298  commandType == CMD_INSERT ?
300  select_permissive_policies,
301  select_restrictive_policies,
302  withCheckOptions,
303  hasSubLinks,
304  true);
305  }
306 
307  /*
308  * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
309  * checks for the UPDATE which may be applied to the same RTE.
310  */
311  if (commandType == CMD_INSERT &&
312  root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
313  {
314  List *conflict_permissive_policies;
315  List *conflict_restrictive_policies;
316  List *conflict_select_permissive_policies = NIL;
317  List *conflict_select_restrictive_policies = NIL;
318 
319  /* Get the policies that apply to the auxiliary UPDATE */
321  &conflict_permissive_policies,
322  &conflict_restrictive_policies);
323 
324  /*
325  * Enforce the USING clauses of the UPDATE policies using WCOs
326  * rather than security quals. This ensures that an error is
327  * raised if the conflicting row cannot be updated due to RLS,
328  * rather than the change being silently dropped.
329  */
330  add_with_check_options(rel, rt_index,
332  conflict_permissive_policies,
333  conflict_restrictive_policies,
334  withCheckOptions,
335  hasSubLinks,
336  true);
337 
338  /*
339  * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
340  * to ensure they are considered when taking the UPDATE path of an
341  * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
342  * for this relation, also as WCO policies, again, to avoid
343  * silently dropping data. See above.
344  */
345  if (rte->requiredPerms & ACL_SELECT)
346  {
348  &conflict_select_permissive_policies,
349  &conflict_select_restrictive_policies);
350  add_with_check_options(rel, rt_index,
352  conflict_select_permissive_policies,
353  conflict_select_restrictive_policies,
354  withCheckOptions,
355  hasSubLinks,
356  true);
357  }
358 
359  /* Enforce the WITH CHECK clauses of the UPDATE policies */
360  add_with_check_options(rel, rt_index,
362  conflict_permissive_policies,
363  conflict_restrictive_policies,
364  withCheckOptions,
365  hasSubLinks,
366  false);
367 
368  /*
369  * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
370  * that the final updated row is visible when taking the UPDATE
371  * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
372  * are required for this relation.
373  */
374  if (rte->requiredPerms & ACL_SELECT)
375  add_with_check_options(rel, rt_index,
377  conflict_select_permissive_policies,
378  conflict_select_restrictive_policies,
379  withCheckOptions,
380  hasSubLinks,
381  true);
382  }
383  }
384 
385  /*
386  * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
387  * and set them up so that we can enforce the appropriate policy depending
388  * on the final action we take.
389  *
390  * We already fetched the SELECT policies above.
391  *
392  * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
393  * really want to apply them while scanning the relation since we don't
394  * know whether we will be doing an UPDATE or a DELETE at the end. We
395  * apply the respective policy once we decide the final action on the
396  * target tuple.
397  *
398  * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
399  * UPDATE/DELETE on the target row, we shall throw an error instead of
400  * silently ignoring the row. This is different than how normal
401  * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
402  * handling.
403  */
404  if (commandType == CMD_MERGE)
405  {
406  List *merge_permissive_policies;
407  List *merge_restrictive_policies;
408 
409  /*
410  * Fetch the UPDATE policies and set them up to execute on the
411  * existing target row before doing UPDATE.
412  */
414  &merge_permissive_policies,
415  &merge_restrictive_policies);
416 
417  /*
418  * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
419  * the existing target row.
420  */
421  add_with_check_options(rel, rt_index,
423  merge_permissive_policies,
424  merge_restrictive_policies,
425  withCheckOptions,
426  hasSubLinks,
427  true);
428 
429  /*
430  * Same with DELETE policies.
431  */
433  &merge_permissive_policies,
434  &merge_restrictive_policies);
435 
436  add_with_check_options(rel, rt_index,
438  merge_permissive_policies,
439  merge_restrictive_policies,
440  withCheckOptions,
441  hasSubLinks,
442  true);
443 
444  /*
445  * No special handling is required for INSERT policies. They will be
446  * checked and enforced during ExecInsert(). But we must add them to
447  * withCheckOptions.
448  */
450  &merge_permissive_policies,
451  &merge_restrictive_policies);
452 
453  add_with_check_options(rel, rt_index,
455  merge_permissive_policies,
456  merge_restrictive_policies,
457  withCheckOptions,
458  hasSubLinks,
459  false);
460 
461  /* Enforce the WITH CHECK clauses of the UPDATE policies */
462  add_with_check_options(rel, rt_index,
464  merge_permissive_policies,
465  merge_restrictive_policies,
466  withCheckOptions,
467  hasSubLinks,
468  false);
469  }
470 
471  table_close(rel, NoLock);
472 
473  /*
474  * Copy checkAsUser to the row security quals and WithCheckOption checks,
475  * in case they contain any subqueries referring to other relations.
476  */
477  setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser);
478  setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser);
479 
480  /*
481  * Mark this query as having row security, so plancache can invalidate it
482  * when necessary (eg: role changes)
483  */
484  *hasRowSecurity = true;
485 }
Assert(fmt[strlen(fmt) - 1] !='\n')
#define NoLock
Definition: lockdefs.h:34
Oid GetUserId(void)
Definition: miscinit.c:491
@ ONCONFLICT_UPDATE
Definition: nodes.h:874
CmdType
Definition: nodes.h:720
@ CMD_MERGE
Definition: nodes.h:726
@ CMD_INSERT
Definition: nodes.h:724
@ CMD_DELETE
Definition: nodes.h:725
@ CMD_UPDATE
Definition: nodes.h:723
@ CMD_SELECT
Definition: nodes.h:722
@ WCO_RLS_MERGE_UPDATE_CHECK
Definition: parsenodes.h:1231
@ WCO_RLS_CONFLICT_CHECK
Definition: parsenodes.h:1230
@ WCO_RLS_INSERT_CHECK
Definition: parsenodes.h:1228
@ WCO_RLS_UPDATE_CHECK
Definition: parsenodes.h:1229
@ WCO_RLS_MERGE_DELETE_CHECK
Definition: parsenodes.h:1232
#define ACL_UPDATE
Definition: parsenodes.h:84
#define ACL_SELECT
Definition: parsenodes.h:83
#define NIL
Definition: pg_list.h:66
unsigned int Oid
Definition: postgres_ext.h:31
void setRuleCheckAsUser(Node *node, Oid userid)
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
Definition: rls.c:52
@ RLS_NONE
Definition: rls.h:43
@ RLS_NONE_ENV
Definition: rls.h:44
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
Definition: rowsecurity.c:751
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
Definition: rowsecurity.c:496
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
Definition: rowsecurity.c:655
Definition: pg_list.h:52
Definition: nodes.h:575
OnConflictAction action
Definition: primnodes.h:1953
OnConflictExpr * onConflict
Definition: parsenodes.h:160
int resultRelation
Definition: parsenodes.h:132
CmdType commandType
Definition: parsenodes.h:121
AclMode requiredPerms
Definition: parsenodes.h:1166
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39

References ACL_SELECT, ACL_UPDATE, OnConflictExpr::action, add_security_quals(), add_with_check_options(), Assert(), check_enable_rls(), RangeTblEntry::checkAsUser, CMD_DELETE, CMD_INSERT, CMD_MERGE, CMD_SELECT, CMD_UPDATE, Query::commandType, get_policies_for_relation(), GetUserId(), NIL, NoLock, Query::onConflict, ONCONFLICT_UPDATE, RangeTblEntry::relid, RangeTblEntry::relkind, RangeTblEntry::requiredPerms, Query::resultRelation, RLS_NONE, RLS_NONE_ENV, setRuleCheckAsUser(), table_close(), table_open(), WCO_RLS_CONFLICT_CHECK, WCO_RLS_INSERT_CHECK, WCO_RLS_MERGE_DELETE_CHECK, WCO_RLS_MERGE_UPDATE_CHECK, and WCO_RLS_UPDATE_CHECK.

Referenced by fireRIRrules().

Variable Documentation

◆ row_security_policy_hook_permissive

PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_permissive
extern

Definition at line 96 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().

◆ row_security_policy_hook_restrictive

PGDLLIMPORT row_security_policy_hook_type row_security_policy_hook_restrictive
extern

Definition at line 97 of file rowsecurity.c.

Referenced by _PG_init(), and get_policies_for_relation().