Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sgkQd-0075pz-Dx
	for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 12:27:07 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sgkQb-00APYo-6B
	for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 12:27:05 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <dean.a.rasheed@gmail.com>)
	id 1sgkQa-00APYg-Q2
	for pgsql-general@lists.postgresql.org; Wed, 21 Aug 2024 12:27:05 +0000
Received: from mail-io1-xd2b.google.com ([2607:f8b0:4864:20::d2b])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <dean.a.rasheed@gmail.com>)
	id 1sgkQX-000lyq-RZ
	for pgsql-general@lists.postgresql.org; Wed, 21 Aug 2024 12:27:04 +0000
Received: by mail-io1-xd2b.google.com with SMTP id ca18e2360f4ac-81f905eb19cso341209839f.3
        for <pgsql-general@lists.postgresql.org>; Wed, 21 Aug 2024 05:27:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1724243221; x=1724848021; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=EVNBGLSmq6LvjWWZT7p5FXErVncJpN3DAPU1cH+0o64=;
        b=jn0KW3rID5V/Z88t5nFg0kST1VLwqiQLNmqvhinQqCBng1skzMiY47ewzMGpbHQzMc
         ovkdIBA6Yoq9dY9bVpWJtARBCygfDW0H/nHvIplI4PS39oYUxdmW+G0C5KKFA/61lYjq
         YgcWijBBJQmOsLjBt4MdVQGbhRxpOisAVvCTF+PtbWmwmydqxi52Pxjij11HoB3AwoL0
         jyE5s58cA5y8fqj6oeEPCYe0AkrH7le0ow5Ueea8/cKiYRwMDfK6rA4oax/xLvcRnTAz
         qdnlGt2vZhD1pd1h0eGjCYNOfjFPjHjGB0L1YcEbjEBoXgxt5z5Lx8Oeq3BZuUUaeZWj
         sF8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724243221; x=1724848021;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=EVNBGLSmq6LvjWWZT7p5FXErVncJpN3DAPU1cH+0o64=;
        b=feGPfCYqDdd2UqgaeCWDFgyJ4/sqblMdVs3iB7Z3jxgOcdwWMG4viOZ1S4XZZE3Oe/
         qubffM2rb/1pdbHGOfq7vPldR4TaNhg9GXQ7/+p+zhNg6bVbxX9RU/eKu3ZoIxHZIV1k
         HlMouT535mN4yHigwvFCWaSe0aprosEvAvVu54Gv/jn/kdgJslYtccyAGiy24xWHrV7a
         vU33gp/aZOYfK8QAxXAHZIl3APFhLZnr/vO/GCbTeP6ycchm8XfVEvsR5Scgv7BAJzR0
         ZE7AASMCjhacp3w+tapGHTfEXl6gcM9V9ojvf3+9AfwAQoWNZBEvafAN7xOiIs4CkW0Z
         dMGQ==
X-Gm-Message-State: AOJu0YwyQhcBILOk/0WsHbontFQQcOZctYNvEOFq4Uik1cggqE5fIpeY
	MNGpcUQnogzahVo9wwKUixuraWDEGOmFKTlX9v5TzJzs7nf1ALGe+DjFZ58VSo5f8g14Spf84f5
	WrjOdNZCiuRm2QvzJdwk+voc7nqI=
X-Google-Smtp-Source: AGHT+IE/NQ645qRZMgBNN6lV48HLDDVzOn97RFlc49Qk8wXkI9eYkR6bj2V45tinU1+3+QJBFHLAfzfyeS/B5pv5ZKw=
X-Received: by 2002:a05:6602:6b0a:b0:803:cc64:e0bf with SMTP id
 ca18e2360f4ac-8252f32ce63mr228857239f.2.1724243221017; Wed, 21 Aug 2024
 05:27:01 -0700 (PDT)
MIME-Version: 1.0
References: <CACJufxG31b+LwmxHz6xw9Qr+qc3VgQaRdpiaGUoZFrf=NBu48g@mail.gmail.com>
In-Reply-To: <CACJufxG31b+LwmxHz6xw9Qr+qc3VgQaRdpiaGUoZFrf=NBu48g@mail.gmail.com>
From: Dean Rasheed <dean.a.rasheed@gmail.com>
Date: Wed, 21 Aug 2024 13:26:49 +0100
Message-ID: <CAEZATCVm+2Vr4ydMBZNGJuFNbH7YZOOXSEJ8JyjWeQ4J5xZ5zQ@mail.gmail.com>
Subject: Re: security invoker review need full select (all columns) to do DML?
To: jian he <jian.universality@gmail.com>
Cc: pgsql-general list <pgsql-general@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAEZATCVm%2B2Vr4ydMBZNGJuFNbH7YZOOXSEJ8JyjWeQ4J5xZ5zQ%40mail.gmail.com>
Precedence: bulk

On Wed, 21 Aug 2024 at 10:08, jian he <jian.universality@gmail.com> wrote:
>
> the following setup is extract from src/test/regress/sql/updatable_views.sql
> you can search keywords: "-- ordinary view on top of security invoker
> view permissions"
>
> CREATE TABLE base_tbl(a int, b text, c float);
> INSERT INTO base_tbl VALUES (1, 'Row 1', 1.0);
>
> SET SESSION AUTHORIZATION regress_view_user1;
> CREATE VIEW rw_view1 AS SELECT b AS bb, c AS cc, a AS aa FROM base_tbl;
> ALTER VIEW rw_view1 SET (security_invoker = true);
>
> RESET SESSION AUTHORIZATION;
> GRANT SELECT(a,b) ON base_tbl TO regress_view_user1;

In updatable_views.sql that GRANT is actually

GRANT SELECT ON base_tbl TO regress_view_user1;

Without that, the view is effectively unusable by regress_view_user1
because it selects from column c of base_tbl, and regress_view_user1
lacks permissions on that column.

This is consistent with simple subqueries:

select a, b from (select a,b from base_tbl); -- ok
 a |   b
---+-------
 1 | Row 1
(1 row)

select a, b from (select a,b,c from base_tbl); -- not allowed
ERROR:  permission denied for table base_tbl

The user must have select permissions on all columns selected by the
subquery/view, because we don't go through the outer query to check
which columns are actually referred to. Now maybe we could, but I
suspect that would be quite a lot of effort because you'd need to be
sure that the column wasn't referred to anywhere in either the outer
query or the subquery itself (e.g., in WHERE clauses, etc.).

Regards,
Dean