Re: Q on SELECT column list pushdown from view to table

public inbox for [email protected]  
help / color / mirror / Atom feed

Re: Q on SELECT column list pushdown from view to table
2+ messages / 2 participants
[nested] [flat]

* Re: Q on SELECT column list pushdown from view to table
@ 2025-03-25 22:55 Tom Lane <[email protected]>
  2025-03-26 17:24 ` Re: Q on SELECT column list pushdown from view to table Karsten Hilbert <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Tom Lane @ 2025-03-25 22:55 UTC (permalink / raw)
  To: Karsten Hilbert <[email protected]>; +Cc: [email protected]

Karsten Hilbert <[email protected]> writes:
> I expected this:

> 	set role "restricted-role";
> 	-- this works:
> 	select public_col from t_partially_private;
> 	-- this fails: with "permission denied on table t_partially_private"
> 	select public_col from v_partially_private;

> to work but selecting from the view fails.

Works fine if you don't mess with the view's security_invoker
status.

			regards, tom lane






^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Q on SELECT column list pushdown from view to table
  2025-03-25 22:55 Re: Q on SELECT column list pushdown from view to table Tom Lane <[email protected]>
@ 2025-03-26 17:24 ` Karsten Hilbert <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Karsten Hilbert @ 2025-03-26 17:24 UTC (permalink / raw)
  To: Tom Lane <[email protected]>; +Cc: [email protected]

Am Tue, Mar 25, 2025 at 06:55:34PM -0400 schrieb Tom Lane:

> Karsten Hilbert <[email protected]> writes:
> > I expected this:
>
> > 	set role "restricted-role";
> > 	-- this works:
> > 	select public_col from t_partially_private;
> > 	-- this fails: with "permission denied on table t_partially_private"
> > 	select public_col from v_partially_private;
>
> > to work but selecting from the view fails.
>
> Works fine if you don't mess with the view's security_invoker
> status.

I know but doing so was kind of the point.

The views are created by a "database owner" role having
access to all tables. Therefore, roles using the views would
normally gain access to tables they are otherwise not
allowed to read. Hence setting security to invoker made a
lot of sense at first sight ...

Perhaps I am misunderstanding the intent of the feature.

Karsten
--
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B






^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2025-03-26 17:24 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-03-25 22:55 Re: Q on SELECT column list pushdown from view to table Tom Lane <[email protected]>
2025-03-26 17:24 ` Karsten Hilbert <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox