public inbox for [email protected]help / color / mirror / Atom feed
Re: Clarification on RLS policy 10+ messages / 4 participants [nested] [flat]
* Re: Clarification on RLS policy @ 2025-04-25 12:52 Dominique Devienne <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Dominique Devienne @ 2025-04-25 12:52 UTC (permalink / raw) To: Laurenz Albe <[email protected]>; +Cc: Vydehi Ganti <[email protected]>; [email protected] On Fri, Apr 25, 2025 at 2:43 PM Laurenz Albe <[email protected]> wrote: > On Fri, 2025-04-25 at 12:38 +0530, Vydehi Ganti wrote: > > We are presently using Postgresql:PostgreSQL 15.12 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-23), 64-bit > > 2.The function would return a character varying string which should be appended > > to the select as a filter. > > You cannot add whole WHERE conditions to a query dynamically. > The only way to fix that is to solve the problem differently. > Since you didn't tell us details, we cannot tell you how. Laurenz is right. That's not how RLS works in PostgreSQL, unlike Oracle. In PostgreSQL, you must use a boolean SQL expression, often by calling a function. You don't simply return some SQL text that Oracle then "splices" into the SELECT. E.g., if you use custom ROLEs as an implementation detail for your security rules, your policy can be as simple as calling the pg_has_role() built-in function. FWIW. --DD CREATE POLICY ... USING (pg_has_role('SomeRole', 'MEMBER')) ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:01 Vydehi Ganti <[email protected]> parent: Dominique Devienne <[email protected]> 0 siblings, 3 replies; 10+ messages in thread From: Vydehi Ganti @ 2025-04-25 13:01 UTC (permalink / raw) To: Dominique Devienne <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] This is my Scenario: I would need a policy on table Activity which has a column country_code . In the policy i would need to call a function get_country as below which queries the users table based on current user and checks which country code that user has access to. Then it should build up the lPredicate with the filter condition and append to the query user runs on the Activity table. *Can you please guide how to achieve this?* CREATE OR REPLACE FUNCTION one.get_country( powner name, ptable_name name) RETURNS character varying LANGUAGE 'plpgsql' COST 100 STABLE PARALLEL UNSAFE AS $BODY$ DECLARE lOSUser varchar(4000) := UPPER(SUBSTRING(current_user FROM POSITION('\' IN current_user) + 1)); lPredicate varchar(4000) := NULL; lCount integer; i RECORD; BEGIN IF position('ro' in current_user) = 0 THEN lPredicate := '1=1'; ELSE -- Users associated to explicit country_code FOR i IN (SELECT r.country_code AS country_code FROM one.users u where UPPER(SUBSTR(u.Login, INSTR(u.Login, '\', -1) + 1)) = lOSUser ) WHERE u.role_type = 'reader') LOOP lPredicate := lPredicate||''''||i.country_code||''','; END LOOP; IF lPredicate IS NOT NULL THEN lPredicate := 'SUBSTR("id",1,3) IN ('||SUBSTR(lPredicate, 1, LENGTH(lPredicate)-1)||')'; ELSE lPredicate := '1=1'; END IF; END IF; RETURN lPredicate; END; $BODY$; For the below policy statement it created the policy but i cant call that CREATE POLICY "Codebase_Filter" ON one.activity FOR SELECT TO one USING (one.get_country('one','activity')); On Fri, Apr 25, 2025 at 6:23 PM Dominique Devienne <[email protected]> wrote: > On Fri, Apr 25, 2025 at 2:43 PM Laurenz Albe <[email protected]> > wrote: > > On Fri, 2025-04-25 at 12:38 +0530, Vydehi Ganti wrote: > > > We are presently using Postgresql:PostgreSQL 15.12 on > x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat > 8.5.0-23), 64-bit > > > 2.The function would return a character varying string which should be > appended > > > to the select as a filter. > > > > You cannot add whole WHERE conditions to a query dynamically. > > The only way to fix that is to solve the problem differently. > > Since you didn't tell us details, we cannot tell you how. > > Laurenz is right. That's not how RLS works in PostgreSQL, unlike Oracle. > In PostgreSQL, you must use a boolean SQL expression, often by calling > a function. > You don't simply return some SQL text that Oracle then "splices" into > the SELECT. > > E.g., if you use custom ROLEs as an implementation detail for your > security rules, > your policy can be as simple as calling the pg_has_role() built-in > function. FWIW. --DD > > CREATE POLICY ... USING (pg_has_role('SomeRole', 'MEMBER')) > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:17 Dominique Devienne <[email protected]> parent: Vydehi Ganti <[email protected]> 2 siblings, 1 reply; 10+ messages in thread From: Dominique Devienne @ 2025-04-25 13:17 UTC (permalink / raw) To: Vydehi Ganti <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] On Fri, Apr 25, 2025 at 3:01 PM Vydehi Ganti <[email protected]> wrote: > Then it should build up the lPredicate with the filter condition and append to the query user runs on the Activity table. You're not reading us, and asking us to do the work for you... RLS Predicates don't return strings in PostgreSQL, but a boolean. Write your function to do your check, and return TRUE or FALSE. ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:20 Vydehi Ganti <[email protected]> parent: Dominique Devienne <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Vydehi Ganti @ 2025-04-25 13:20 UTC (permalink / raw) To: Dominique Devienne <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] So I don't have a possibility to append where clause dynamically and can only check the boolean? On Fri, 25 Apr, 2025, 18:48 Dominique Devienne, <[email protected]> wrote: > On Fri, Apr 25, 2025 at 3:01 PM Vydehi Ganti <[email protected]> wrote: > > Then it should build up the lPredicate with the filter condition and > append to the query user runs on the Activity table. > > You're not reading us, and asking us to do the work for you... > RLS Predicates don't return strings in PostgreSQL, but a boolean. > Write your function to do your check, and return TRUE or FALSE. > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:25 Dominique Devienne <[email protected]> parent: Vydehi Ganti <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Dominique Devienne @ 2025-04-25 13:25 UTC (permalink / raw) To: Vydehi Ganti <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] On Fri, Apr 25, 2025 at 3:21 PM Vydehi Ganti <[email protected]> wrote: > So I don't have a possibility to append where clause dynamically and can only check the boolean? Indeed. But given that you can run arbitrary SQL inside the function, even dynamic SQL, that ends up pretty much the same. And you have access to in-row values too, when calling the function. It's just a different design, that's all. --DD ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:28 Vydehi Ganti <[email protected]> parent: Dominique Devienne <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Vydehi Ganti @ 2025-04-25 13:28 UTC (permalink / raw) To: Dominique Devienne <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] Can i know if there is any scenario or ref document for the design you suggested above? On Fri, 25 Apr, 2025, 18:56 Dominique Devienne, <[email protected]> wrote: > On Fri, Apr 25, 2025 at 3:21 PM Vydehi Ganti <[email protected]> wrote: > > So I don't have a possibility to append where clause dynamically and can > only check the boolean? > > Indeed. But given that you can run arbitrary SQL inside the function, > even dynamic SQL, > that ends up pretty much the same. And you have access to in-row > values too, when calling the function. > It's just a different design, that's all. --DD > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 13:31 Dominique Devienne <[email protected]> parent: Vydehi Ganti <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Dominique Devienne @ 2025-04-25 13:31 UTC (permalink / raw) To: Vydehi Ganti <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] On Fri, Apr 25, 2025 at 3:29 PM Vydehi Ganti <[email protected]> wrote: > Can i know if there is any scenario or ref document for the design you suggested above? Some docs: https://www.postgresql.org/docs/current/ddl-rowsecurity.html https://satoricyber.com/postgres-security/postgres-row-level-security/ Your Oracle function converted to PostgreSQL, FWIW. Use at your own risk. https://chatgpt.com/share/680b8e36-b4ac-800e-9e0e-2601aecd2aee ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 14:04 Achilleas Mantzios - cloud <[email protected]> parent: Vydehi Ganti <[email protected]> 2 siblings, 0 replies; 10+ messages in thread From: Achilleas Mantzios - cloud @ 2025-04-25 14:04 UTC (permalink / raw) To: [email protected] On 4/25/25 14:01, Vydehi Ganti wrote: > This is my Scenario: > > CREATE OR REPLACE FUNCTION one.get_country( > powner name, > ptable_name name) > RETURNS character varying > LANGUAGE 'plpgsql' > COST 100 > STABLE PARALLEL UNSAFE > AS $BODY$ > DECLARE > > lOSUser varchar(4000) := UPPER(SUBSTRING(current_user FROM > POSITION('\' IN current_user) + 1)); > lPredicate varchar(4000) := NULL; > lCount integer; > > i RECORD; > > BEGIN > IF position('ro' in current_user) = 0 THEN > lPredicate := '1=1'; > ELSE > -- Users associated to explicit country_code > FOR i IN (SELECT r.country_code AS country_code > FROM one.users u > where UPPER(SUBSTR(u.Login, INSTR(u.Login, > '\', -1) + 1)) = lOSUser ) > WHERE u.role_type = 'reader') LOOP > lPredicate := lPredicate||''''||i.country_code||''','; > END LOOP; > > IF lPredicate IS NOT NULL THEN > lPredicate := 'SUBSTR("id",1,3) IN ('||SUBSTR(lPredicate, > 1, LENGTH(lPredicate)-1)||')'; > ELSE > lPredicate := '1=1'; > END IF; > END IF; > > RETURN lPredicate; > > END; > $BODY$; > > For the below policy statement it created the policy but i cant call that > CREATE POLICY "Codebase_Filter" > ON one.activity > FOR SELECT > TO one > USING (one.get_country('one','activity')); side note : it seems ptable_name and powner are not read in your function ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-25 15:13 Adrian Klaver <[email protected]> parent: Vydehi Ganti <[email protected]> 2 siblings, 0 replies; 10+ messages in thread From: Adrian Klaver @ 2025-04-25 15:13 UTC (permalink / raw) To: Vydehi Ganti <[email protected]>; Dominique Devienne <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] On 4/25/25 06:01, Vydehi Ganti wrote: > This is my Scenario: > > *Can you please guide how to achieve this?* > > CREATE OR REPLACE FUNCTION one.get_country( > powner name, > ptable_name name) > RETURNS character varying > LANGUAGE 'plpgsql' > > For the below policy statement it created the policy but i cant call that > CREATE POLICY "Codebase_Filter" > ON one.activity > FOR SELECT > TO one > USING (one.get_country('one','activity')); The core of the issue you are getting is that this from the function: RETURNS character varying is not going to work here: USING (one.get_country('one','activity')) as what USING will see is a string not the evaluation of 1=1 hence the error you get: ERROR: invalid input syntax for type boolean: "1=1" CONTEXT: PL/pgSQL function function name(name,name) while casting return value to function's return type -- Adrian Klaver [email protected] ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Clarification on RLS policy @ 2025-04-29 08:05 Vydehi Ganti <[email protected]> parent: Dominique Devienne <[email protected]> 0 siblings, 0 replies; 10+ messages in thread From: Vydehi Ganti @ 2025-04-29 08:05 UTC (permalink / raw) To: Dominique Devienne <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected] Hi, Checking the documents . Post fetching Boolean can we have a trigger or function which can build up the where filter clause? Or can i have a case statement in the Using which can return such statements? On Fri, Apr 25, 2025 at 7:02 PM Dominique Devienne <[email protected]> wrote: > On Fri, Apr 25, 2025 at 3:29 PM Vydehi Ganti <[email protected]> wrote: > > Can i know if there is any scenario or ref document for the design you > suggested above? > > Some docs: > https://www.postgresql.org/docs/current/ddl-rowsecurity.html > https://satoricyber.com/postgres-security/postgres-row-level-security/ > > Your Oracle function converted to PostgreSQL, FWIW. Use at your own risk. > https://chatgpt.com/share/680b8e36-b4ac-800e-9e0e-2601aecd2aee > ^ permalink raw reply [nested|flat] 10+ messages in thread
end of thread, other threads:[~2025-04-29 08:05 UTC | newest] Thread overview: 10+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2025-04-25 12:52 Re: Clarification on RLS policy Dominique Devienne <[email protected]> 2025-04-25 13:01 ` Vydehi Ganti <[email protected]> 2025-04-25 13:17 ` Dominique Devienne <[email protected]> 2025-04-25 13:20 ` Vydehi Ganti <[email protected]> 2025-04-25 13:25 ` Dominique Devienne <[email protected]> 2025-04-25 13:28 ` Vydehi Ganti <[email protected]> 2025-04-25 13:31 ` Dominique Devienne <[email protected]> 2025-04-29 08:05 ` Vydehi Ganti <[email protected]> 2025-04-25 14:04 ` Achilleas Mantzios - cloud <[email protected]> 2025-04-25 15:13 ` Adrian Klaver <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox