Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1u8IYV-000UvV-Mn
	for pgsql-general@arkaria.postgresql.org; Fri, 25 Apr 2025 12:53:24 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1u8IYT-00AZGa-DW
	for pgsql-general@arkaria.postgresql.org; Fri, 25 Apr 2025 12:53:22 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ddevienne@gmail.com>)
	id 1u8IYT-00AZEk-0S
	for pgsql-general@lists.postgresql.org; Fri, 25 Apr 2025 12:53:21 +0000
Received: from mail-oo1-xc2d.google.com ([2607:f8b0:4864:20::c2d])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ddevienne@gmail.com>)
	id 1u8IYQ-0020OO-26
	for pgsql-general@lists.postgresql.org;
	Fri, 25 Apr 2025 12:53:21 +0000
Received: by mail-oo1-xc2d.google.com with SMTP id 006d021491bc7-6063462098eso1442882eaf.0
        for <pgsql-general@lists.postgresql.org>; Fri, 25 Apr 2025 05:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1745585595; x=1746190395; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cWTafLdLxGmOTKMLBPzXZx5ApSK7eocsLYdEg+ik0qc=;
        b=TpF58pvHfGYdgvXy7SpSI2YogGinEjucx6Ak3PhC2xFQefpTM8MHn+xp6G35EiC7A3
         uYlyMNriAEhmPdfZk4IrutBRTawIduW4Vo9LvwH4Npz/kOa0PWq/ScH+n4120r2QZ1mY
         ncKJy+KtwO6EueRi4kBjqEFHdex9OqIxJROVCHPesjDZz1zSKve31RyzH+TDLs1Mz+cG
         RIRk4SstcMcWFI0t8nLFvSK8heDRFgltHM4/YSnT5snTwqwJnH5D00mzL/1RgIazVUl+
         3sn0IYcLZpw1VG9EwFY224P4qOGL+Qzg/jiFN2MN63oLpuzEGWeifJU7uLppJHd6eTIz
         nvtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1745585595; x=1746190395;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cWTafLdLxGmOTKMLBPzXZx5ApSK7eocsLYdEg+ik0qc=;
        b=O+a5nKUGz7zusr5q+ncDMQ5aFq3W1vnHqLuKYjmR3Vn18CNJibHtJTXDf3a4aTtdqS
         mX/hjqvFcFCcoVLOXDnw1kmtfPUhj1Hg/LBdnL8VjANqOSFWIB6AhjsIU58xnsw/xehR
         BxtKsp9pbFCUIX6yzdlzwapdu0pEfumbIanX6b3tHSNiaEBjqGfuUuTsYA0BjxByS5a9
         Maq3mwPqi2owTcOm/taZ3s125BOg8zp4ZYLMKUYeubiIzaeraJM5pU+JjLWzskzZj90M
         BTXa3B7yVJYMFEaGyxFX214pbZWvOuYR8XSs2ntFnlPDA+YW9HXkv8677RR5xhiiC/yM
         9aqQ==
X-Forwarded-Encrypted: i=1; AJvYcCVq1l01Sayqo6rxJ64loF3V0hVT/1coIJA/c3EPzHlGuIw4tRRuDRC4v7W/i8mCeUSg6xvrNUYRjANpnR/K@lists.postgresql.org
X-Gm-Message-State: AOJu0YwgktOMvdX/L9oxwfRJz//l8e+6QP812LgJyhYt8Da+p+Q3soNd
	wORNn+NM1c/k20yorolUNXLffnyJ+juIw4LPZGlVMMPA9xsSmr/BEWE4/eiHsxv1P2wrb7qbVCd
	ln+s0gZ4MpyYVfnuTFvpbKZbUp0U=
X-Gm-Gg: ASbGncuUW6A1OydE+Qm3AOd0hh/7ITwIJ6OcODrVpx8TybZV4vXd7oPmTaRfwXQhIfo
	AiSxOMOGQnlJvZkzKRisRQrLDsDMD4Rv0Lfog7ecOroTnmZus8wtikNJB2b+HNLHzD72fz4JVbw
	IvIVodYgeqfOzuy1VD9sV/+UiV
X-Google-Smtp-Source: AGHT+IGrg2Nr/pvf+zw5cQnGsB5kjRDpg5I/SWg/ofLZwxLzdAEg9QQrrS1ojwY+YxLVHOhoUYiUcAsRB/Oh2Mi32fM=
X-Received: by 2002:a05:6820:4d04:b0:604:2b3:2c9b with SMTP id
 006d021491bc7-60652baa42bmr1003334eaf.4.1745585595626; Fri, 25 Apr 2025
 05:53:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAMH-PzUPN7JcLXJx-aJzGnJD2T-aSMo8gaMFkzO_x26urpMqSA@mail.gmail.com>
 <88804c921b425d37a3072b5698b558a763d80d63.camel@cybertec.at>
In-Reply-To: <88804c921b425d37a3072b5698b558a763d80d63.camel@cybertec.at>
From: Dominique Devienne <ddevienne@gmail.com>
Date: Fri, 25 Apr 2025 14:52:43 +0200
X-Gm-Features: ATxdqUHOa9JXYoxgXG_YTnC4pU5N6uQFH92m912hMIDJ9U3zIJMpgJiNzlTRnhE
Message-ID: <CAFCRh-_fXGfKk6b26xaDD1fg5OhLy92bNofmeDfX2TFjkQLLXA@mail.gmail.com>
Subject: Re: Clarification on RLS policy
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: Vydehi Ganti <rayudugs@gmail.com>, pgsql-general@lists.postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAFCRh-_fXGfKk6b26xaDD1fg5OhLy92bNofmeDfX2TFjkQLLXA%40mail.gmail.com>
Precedence: bulk

On Fri, Apr 25, 2025 at 2:43=E2=80=AFPM Laurenz Albe <laurenz.albe@cybertec=
.at> wrote:
> On Fri, 2025-04-25 at 12:38 +0530, Vydehi Ganti wrote:
> > We are presently using Postgresql:PostgreSQL 15.12 on x86_64-pc-linux-g=
nu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-23), 64-bit
> > 2.The function would return a character varying string which should be =
appended
> >   to the select as a filter.
>
> You cannot add whole WHERE conditions to a query dynamically.
> The only way to fix that is to solve the problem differently.
> Since you didn't tell us details, we cannot tell you how.

Laurenz is right. That's not how RLS works in PostgreSQL, unlike Oracle.
In PostgreSQL, you must use a boolean SQL expression, often by calling
a function.
You don't simply return some SQL text that Oracle then "splices" into
the SELECT.

E.g., if you use custom ROLEs as an implementation detail for your
security rules,
your policy can be as simple as calling the pg_has_role() built-in
function. FWIW. --DD

CREATE POLICY ... USING (pg_has_role('SomeRole', 'MEMBER'))