Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVXhV-0022EK-2g for pgsql-hackers@arkaria.postgresql.org; Fri, 05 Jun 2026 16:47:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVXhS-00DKOD-2z for pgsql-hackers@arkaria.postgresql.org; Fri, 05 Jun 2026 16:47:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVXhS-00DKO4-1j for pgsql-hackers@lists.postgresql.org; Fri, 05 Jun 2026 16:47:14 +0000 Received: from mail-yx1-xb130.google.com ([2607:f8b0:4864:20::b130]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wVXhQ-00000001S7j-0Id7 for pgsql-hackers@postgresql.org; Fri, 05 Jun 2026 16:47:13 +0000 Received: by mail-yx1-xb130.google.com with SMTP id 956f58d0204a3-6606d5900dbso785009d50.2 for ; Fri, 05 Jun 2026 09:47:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780678029; cv=none; d=google.com; s=arc-20240605; b=knpgxFbqQVNhZdQh3lIA09J/Ti+xfXCdYPI81w0lxSVVji42fVAE3wbVoOWz/HXF0r v0XoLvx5XKJlbs8YeDn8VrwO0cbhbqQFd2ZVlniAN7MJ8vgNBwtjsnP4o+LLepR1mTcl GLV8HkIHVcvZfKjMoakeYO0z+bkpRbXbT2Z8si4CxXrFgvUlKdbBSR2eeyNmP1TqvVGD iHUeoicINebKJUicubRGz6D4V20xi6Y+HtI9BGYQ/lYbuT+zJymKAjf0GuVi262vzq3k p9pgRvq4xhac+hvqVlbD/slMY7qDi1mZLKP9cwjcshnXpmk5Dm4TqWhmarffmFoooD5V xmGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=rMnSSciUdydPBL7k2tkt3oxv40Dd2A23i/MCm6wvMSo=; fh=bJ4O8yNmnMbTWRMx/ZgGWFLu4ogwIbhluK4tZKeDevU=; b=fGk40/nlINUb9aQlG62u3ZFFc7mOn5sd7exFfSzvFPbGmHeXnnBJO+/ZS0jz/zWFzm DOe2xDQroexRFtT5n6lCNSs/r9FBW2DcxUFsG8TKDGH5gFAWCPgQ12mHgpLt9K6AnhEm G7Ly47pLprJvrxFnsNOWIwtqJlDvRYcjCvRVyRjUwf/qCidTjZ2nNT9PJ3FPCXKfr4XT h2fS+UgKhr2qGgUsoFsg16j8Vq2xC5afsMp5WvZqccl6prm2cDQKz4qp3tG2XrrqpZaz NakuifTOFLjjxKC5Xr0d+mkQDZJxV8iO5kAFl1wBkxmoyenJmafMUYOLj2Wje37Ccdvh uL/A==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780678029; x=1781282829; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rMnSSciUdydPBL7k2tkt3oxv40Dd2A23i/MCm6wvMSo=; b=tLaLd3UtwZvb9jRMHI/BU5bFXVA4FxJ+BYsyzoF/QivDxom1S6wbBG2uZlyj/sUoAj 3Ucm8zKMxkqt5C1ZrtR7erEeNWGxK19mqzwb3I765iNpyiXmmL/VT3ZPWTi23UpzEXrZ c3x532W4zh2+c9xB2lwSSkscVHB12Gj/8UZpvX9e2BbXinsQinyXOwKMjGGzeLlJ6glE h0VWwDVAQYsPxEBa/t8hZS3r/VEV1ZdQxoTJqea0v6azELFcT3GJlD6pgKu7OnRV4D9x v2b4ImvHSyBRmElBnpnKuBv4rPmxti31PGnZFYaAv/3CVFwOJaxWpR8go3eFZJHJ6p35 gH+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780678029; x=1781282829; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rMnSSciUdydPBL7k2tkt3oxv40Dd2A23i/MCm6wvMSo=; b=OPj5b1aNDwUm5g/nBy0dATTm9pK9qi1XvNPM9wCQaZqcO2bpuKkIrdOUQ+euSF663N jgAXbJ8bDy/SOVbT225bQbrb3CPiIp7hq0vj1QZDsEtpAwpD5fbhO4PbAczpJk0fdGml 1cbjEu6hYml1nBPSFCNrOS8k76rLF1sTVIX0Z6p7nfA29gyqUmMo2f+mwkGR4iMnrPw2 Gt5s84k/fqx53+dUVN2iNgiTumLBO1AmmcgCTEwLdFe+VypPfF1u89+9ErHPxQzUqLWd XJELbdPFhF3xhmdUpckVCwlaFABs7sZWINb6bDPLkQpfcncCVTDTpF7Vntqe7PW9wE7h lRWQ== X-Gm-Message-State: AOJu0Yx1h3pcgVqLTK85cRy5966bfDEe3bKXYhi/4QwHvKs9FiJ2ifpD dhoLMSkRhk7jgHbSA6/AUdB3MvJ2hIVIEdBxtNUuujQwLLvOLR8S23CRR2NXrvbLMPFJH600Heb tZpVOjsjHDEZozM9kIeIa4l0d2M03TJ+CeDZECGE= X-Gm-Gg: Acq92OG9rgfSp4NiBZST4eRhP9Ur0lw/XtTlTDfNWVzy53vrcsqgQKOaYPxKG/JOcE/ 9i72C5hKf+0+GeSjO7T3gUUMScETg1rSkqL+6Mzd9KpzvK3LyoPIw3SLIL1RPb5SeLPN09Z3EpD DrK39W52MRquve8Y3pbMbbtS0YzZOOAI5Nlk/cUZSnw1YZ3GjY8ha3qZe+x0j3q8GEPUUXGzmMK aUeDlo35kTYgy8DjaJZpaF/HLOecAdSAYheEfPKjOrwhkVpn2Q4zdUp+ecTeAXbf4BCbtEdIT7Q sMQBCZ++O8556CWd X-Received: by 2002:a05:690e:488c:10b0:660:4090:90e8 with SMTP id 956f58d0204a3-66106ebcee8mr3265245d50.29.1780678029280; Fri, 05 Jun 2026 09:47:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ayush Tiwari Date: Fri, 5 Jun 2026 22:16:57 +0530 X-Gm-Features: AVVi8Ceh62azlYSiiEiuu3unW7E6Do0IEPDve1GnEk4TPzSeSDWK21GQPGtpUks Message-ID: Subject: Re: Enforce INSERT RLS checks for FOR PORTION OF leftovers? To: Paul A Jungwirth Cc: PostgreSQL Hackers , Peter Eisentraut Content-Type: multipart/alternative; boundary="000000000000650a1a06538469e3" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000650a1a06538469e3 Content-Type: text/plain; charset="UTF-8" Hi, On Sat, 16 May 2026 at 22:20, Paul A Jungwirth wrote: Skipping the RLS checks to insert the leftovers seems like the correct > behavior to me, since we are skipping the ACL checks (per the > standard). Shouldn't it be consistent? > > I think the reason we skip the checks is that semantically, the > leftovers aren't changing anything: they are preserving the history > that is already there. > > I'm happy to write a doc patch to make this explicit. Does anyone > disagree about the correct behavior though? > I'd treat them separately. Skipping INSERT ACL is a standard-driven call about command privilege; RLS WITH CHECK is a per-row predicate on the data, and the leftover really is a new heap tuple written by the current role. With `WITH CHECK (name <> 'denied')` and a pre-existing 'denied' row (loaded by COPY or before the policy), UPDATE FOR PORTION OF that touches only the range column writes leftovers the role could not have INSERTed directly. That's the part that bothers me, especially since RLS tends to be deployed as a hard security boundary rather than something users expect to opt out of per statement type. Please correct me if I'm wrong here. Regards, Ayush --000000000000650a1a06538469e3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

On Sat, 16 May 2= 026 at 22:20, Paul A Jungwirth <pj@illuminatedcomputing.com> wrote:

Skipping the RLS checks to insert the leftovers seems like the correct
behavior to me, since we are skipping the ACL checks (per the
standard). Shouldn't it be consistent?

I think the reason we skip the checks is that semantically, the
leftovers aren't changing anything: they are preserving the history
that is already there.

I'm happy to write a doc patch to make this explicit. Does anyone
disagree about the correct behavior though?

= I'd treat them separately.=C2=A0 Skipping INSERT ACL is a standard-driv= en
call about command privilege; RLS WITH CHECK is a per-row predicateon the data, and the leftover really is a new heap tuple written by
th= e current role.

With `WITH CHECK (name <> 'denied')` a= nd a pre-existing 'denied' row
(loaded by COPY or before the pol= icy), UPDATE FOR PORTION OF that
touches only the range column writes le= ftovers the role could not
have INSERTed directly.=C2=A0 That's the = part that bothers me, especially
since RLS tends to be deployed as a har= d security boundary rather
than something users expect to opt out o= f per statement type.=C2=A0
Please correct me if I'm wrong he= re.

Regards,
Ayush
--000000000000650a1a06538469e3--