public inbox for [email protected]
help / color / mirror / Atom feedRe: security invoker review need full select (all columns) to do DML?
2+ messages / 2 participants
[nested] [flat]
* Re: security invoker review need full select (all columns) to do DML?
@ 2024-08-21 12:26 Dean Rasheed <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Dean Rasheed @ 2024-08-21 12:26 UTC (permalink / raw)
To: jian he <[email protected]>; +Cc: pgsql-general list <[email protected]>
On Wed, 21 Aug 2024 at 10:08, jian he <[email protected]> wrote:
>
> the following setup is extract from src/test/regress/sql/updatable_views.sql
> you can search keywords: "-- ordinary view on top of security invoker
> view permissions"
>
> CREATE TABLE base_tbl(a int, b text, c float);
> INSERT INTO base_tbl VALUES (1, 'Row 1', 1.0);
>
> SET SESSION AUTHORIZATION regress_view_user1;
> CREATE VIEW rw_view1 AS SELECT b AS bb, c AS cc, a AS aa FROM base_tbl;
> ALTER VIEW rw_view1 SET (security_invoker = true);
>
> RESET SESSION AUTHORIZATION;
> GRANT SELECT(a,b) ON base_tbl TO regress_view_user1;
In updatable_views.sql that GRANT is actually
GRANT SELECT ON base_tbl TO regress_view_user1;
Without that, the view is effectively unusable by regress_view_user1
because it selects from column c of base_tbl, and regress_view_user1
lacks permissions on that column.
This is consistent with simple subqueries:
select a, b from (select a,b from base_tbl); -- ok
a | b
---+-------
1 | Row 1
(1 row)
select a, b from (select a,b,c from base_tbl); -- not allowed
ERROR: permission denied for table base_tbl
The user must have select permissions on all columns selected by the
subquery/view, because we don't go through the outer query to check
which columns are actually referred to. Now maybe we could, but I
suspect that would be quite a lot of effort because you'd need to be
sure that the column wasn't referred to anywhere in either the outer
query or the subquery itself (e.g., in WHERE clauses, etc.).
Regards,
Dean
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: security invoker review need full select (all columns) to do DML?
@ 2024-08-21 14:39 Tom Lane <[email protected]>
parent: Dean Rasheed <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Tom Lane @ 2024-08-21 14:39 UTC (permalink / raw)
To: Dean Rasheed <[email protected]>; +Cc: jian he <[email protected]>; pgsql-general list <[email protected]>
Dean Rasheed <[email protected]> writes:
> The user must have select permissions on all columns selected by the
> subquery/view, because we don't go through the outer query to check
> which columns are actually referred to. Now maybe we could, but I
> suspect that would be quite a lot of effort because you'd need to be
> sure that the column wasn't referred to anywhere in either the outer
> query or the subquery itself (e.g., in WHERE clauses, etc.).
I'd argue that we should check that permission regardless, and are
probably required to by the SQL spec. You don't normally get to
escape permission checks when bits of the query are optimized away.
(This is why permission checks are done on the range table not the
plan tree.)
regards, tom lane
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2024-08-21 14:39 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-08-21 12:26 Re: security invoker review need full select (all columns) to do DML? Dean Rasheed <[email protected]>
2024-08-21 14:39 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox