Re: Clarification on RLS policy - Dominique Devienne

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Dominique Devienne <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: Vydehi Ganti <[email protected]>
Cc: [email protected]
Subject: Re: Clarification on RLS policy
Date: Fri, 25 Apr 2025 14:52:43 +0200
Message-ID: <CAFCRh-_fXGfKk6b26xaDD1fg5OhLy92bNofmeDfX2TFjkQLLXA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAMH-PzUPN7JcLXJx-aJzGnJD2T-aSMo8gaMFkzO_x26urpMqSA@mail.gmail.com>
	<[email protected]>

On Fri, Apr 25, 2025 at 2:43 PM Laurenz Albe <[email protected]> wrote:
> On Fri, 2025-04-25 at 12:38 +0530, Vydehi Ganti wrote:
> > We are presently using Postgresql:PostgreSQL 15.12 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-23), 64-bit
> > 2.The function would return a character varying string which should be appended
> >   to the select as a filter.
>
> You cannot add whole WHERE conditions to a query dynamically.
> The only way to fix that is to solve the problem differently.
> Since you didn't tell us details, we cannot tell you how.

Laurenz is right. That's not how RLS works in PostgreSQL, unlike Oracle.
In PostgreSQL, you must use a boolean SQL expression, often by calling
a function.
You don't simply return some SQL text that Oracle then "splices" into
the SELECT.

E.g., if you use custom ROLEs as an implementation detail for your
security rules,
your policy can be as simple as calling the pg_has_role() built-in
function. FWIW. --DD

CREATE POLICY ... USING (pg_has_role('SomeRole', 'MEMBER'))

view thread (10+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Clarification on RLS policy
  In-Reply-To: <CAFCRh-_fXGfKk6b26xaDD1fg5OhLy92bNofmeDfX2TFjkQLLXA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox