<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Row Security Policies</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 9.6.22 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Data Definition"
HREF="ddl.html"><LINK
REL="PREVIOUS"
TITLE="Privileges"
HREF="ddl-priv.html"><LINK
REL="NEXT"
TITLE="Schemas"
HREF="ddl-schemas.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2021-05-18T09:16:10"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="4"
ALIGN="center"
VALIGN="bottom"
><A
HREF="index.html"
>PostgreSQL 9.6.22 Documentation</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
TITLE="Privileges"
HREF="ddl-priv.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Data Definition</TD
><TD
WIDTH="20%"
ALIGN="right"
VALIGN="top"
><A
TITLE="Schemas"
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="DDL-ROWSECURITY"
>5.7. Row Security Policies</A
></H1
><P
> In addition to the SQL-standard <A
HREF="ddl-priv.html"
>privilege
system</A
> available through <A
HREF="sql-grant.html"
>GRANT</A
>,
tables can have <I
CLASS="FIRSTTERM"
>row security policies</I
> that restrict,
on a per-user basis, which rows can be returned by normal queries
or inserted, updated, or deleted by data modification commands.
This feature is also known as <I
CLASS="FIRSTTERM"
>Row-Level Security</I
>.
By default, tables do not have any policies, so that if a user has
access privileges to a table according to the SQL privilege system,
all rows within it are equally available for querying or updating.
</P
><P
> When row security is enabled on a table (with
<A
HREF="sql-altertable.html"
>ALTER TABLE ... ENABLE ROW LEVEL
SECURITY</A
>), all normal access to the table for selecting rows or
modifying rows must be allowed by a row security policy. (However, the
table's owner is typically not subject to row security policies.) If no
policy exists for the table, a default-deny policy is used, meaning that
no rows are visible or can be modified. Operations that apply to the
whole table, such as <TT
CLASS="COMMAND"
>TRUNCATE</TT
> and <TT
CLASS="LITERAL"
>REFERENCES</TT
>,
are not subject to row security.
</P
><P
> Row security policies can be specific to commands, or to roles, or to
both. A policy can be specified to apply to <TT
CLASS="LITERAL"
>ALL</TT
>
commands, or to <TT
CLASS="LITERAL"
>SELECT</TT
>, <TT
CLASS="LITERAL"
>INSERT</TT
>, <TT
CLASS="LITERAL"
>UPDATE</TT
>,
or <TT
CLASS="LITERAL"
>DELETE</TT
>. Multiple roles can be assigned to a given
policy, and normal role membership and inheritance rules apply.
</P
><P
> To specify which rows are visible or modifiable according to a policy,
an expression is required that returns a Boolean result. This
expression will be evaluated for each row prior to any conditions or
functions coming from the user's query. (The only exceptions to this
rule are <TT
CLASS="LITERAL"
>leakproof</TT
> functions, which are guaranteed to
not leak information; the optimizer may choose to apply such functions
ahead of the row-security check.) Rows for which the expression does
not return <TT
CLASS="LITERAL"
>true</TT
> will not be processed. Separate expressions
may be specified to provide independent control over the rows which are
visible and the rows which are allowed to be modified. Policy
expressions are run as part of the query and with the privileges of the
user running the query, although security-definer functions can be used
to access data not available to the calling user.
</P
><P
> Superusers and roles with the <TT
CLASS="LITERAL"
>BYPASSRLS</TT
> attribute always
bypass the row security system when accessing a table. Table owners
normally bypass row security as well, though a table owner can choose to
be subject to row security with <A
HREF="sql-altertable.html"
>ALTER
TABLE ... FORCE ROW LEVEL SECURITY</A
>.
</P
><P
> Enabling and disabling row security, as well as adding policies to a
table, is always the privilege of the table owner only.
</P
><P
> Policies are created using the <A
HREF="sql-createpolicy.html"
>CREATE POLICY</A
>
command, altered using the <A
HREF="sql-alterpolicy.html"
>ALTER POLICY</A
> command,
and dropped using the <A
HREF="sql-droppolicy.html"
>DROP POLICY</A
> command. To
enable and disable row security for a given table, use the
<A
HREF="sql-altertable.html"
>ALTER TABLE</A
> command.
</P
><P
> Each policy has a name and multiple policies can be defined for a
table. As policies are table-specific, each policy for a table must
have a unique name. Different tables may have policies with the
same name.
</P
><P
> When multiple policies apply to a given query, they are combined using
<TT
CLASS="LITERAL"
>OR</TT
>, so that a row is accessible if any policy allows
it. This is similar to the rule that a given role has the privileges
of all roles that they are a member of.
</P
><P
> As a simple example, here is how to create a policy on
the <TT
CLASS="LITERAL"
>account</TT
> relation to allow only members of
the <TT
CLASS="LITERAL"
>managers</TT
> role to access rows, and only rows of their
accounts:
</P
><PRE
CLASS="PROGRAMLISTING"
>CREATE TABLE accounts (manager text, company text, contact_email text);
ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
CREATE POLICY account_managers ON accounts TO managers
USING (manager = current_user);</PRE
><P
> The policy above implicitly provides a <TT
CLASS="LITERAL"
>WITH CHECK</TT
>
clause identical to its <TT
CLASS="LITERAL"
>USING</TT
> clause, so that the
constraint applies both to rows selected by a command (so a manager
cannot <TT
CLASS="COMMAND"
>SELECT</TT
>, <TT
CLASS="COMMAND"
>UPDATE</TT
>,
or <TT
CLASS="COMMAND"
>DELETE</TT
> existing rows belonging to a different
manager) and to rows modified by a command (so rows belonging to a
different manager cannot be created via <TT
CLASS="COMMAND"
>INSERT</TT
>
or <TT
CLASS="COMMAND"
>UPDATE</TT
>).
</P
><P
> If no role is specified, or the special user name
<TT
CLASS="LITERAL"
>PUBLIC</TT
> is used, then the policy applies to all
users on the system. To allow all users to access only their own row in
a <TT
CLASS="LITERAL"
>users</TT
> table, a simple policy can be used:
</P
><PRE
CLASS="PROGRAMLISTING"
>CREATE POLICY user_policy ON users
USING (user_name = current_user);</PRE
><P
> This works similarly to the previous example.
</P
><P
> To use a different policy for rows that are being added to the table
compared to those rows that are visible, multiple policies can be
combined. This pair of policies would allow all users to view all rows
in the <TT
CLASS="LITERAL"
>users</TT
> table, but only modify their own:
</P
><PRE
CLASS="PROGRAMLISTING"
>CREATE POLICY user_sel_policy ON users
FOR SELECT
USING (true);
CREATE POLICY user_mod_policy ON users
USING (user_name = current_user);</PRE
><P
> In a <TT
CLASS="COMMAND"
>SELECT</TT
> command, these two policies are combined
using <TT
CLASS="LITERAL"
>OR</TT
>, with the net effect being that all rows
can be selected. In other command types, only the second policy applies,
so that the effects are the same as before.
</P
><P
> Row security can also be disabled with the <TT
CLASS="COMMAND"
>ALTER TABLE</TT
>
command. Disabling row security does not remove any policies that are
defined on the table; they are simply ignored. Then all rows in the
table are visible and modifiable, subject to the standard SQL privileges
system.
</P
><P
> Below is a larger example of how this feature can be used in production
environments. The table <TT
CLASS="LITERAL"
>passwd</TT
> emulates a Unix password
file:
</P
><PRE
CLASS="PROGRAMLISTING"
>-- Simple passwd-file based example
CREATE TABLE passwd (
user_name text UNIQUE NOT NULL,
pwhash text,
uid int PRIMARY KEY,
gid int NOT NULL,
real_name text NOT NULL,
home_phone text,
extra_info text,
home_dir text NOT NULL,
shell text NOT NULL
);
CREATE ROLE admin; -- Administrator
CREATE ROLE bob; -- Normal user
CREATE ROLE alice; -- Normal user
-- Populate the table
INSERT INTO passwd VALUES
('admin','xxx',0,0,'Admin','111-222-3333',null,'/root','/bin/dash');
INSERT INTO passwd VALUES
('bob','xxx',1,1,'Bob','123-456-7890',null,'/home/bob','/bin/zsh');
INSERT INTO passwd VALUES
('alice','xxx',2,1,'Alice','098-765-4321',null,'/home/alice','/bin/zsh');
-- Be sure to enable row level security on the table
ALTER TABLE passwd ENABLE ROW LEVEL SECURITY;
-- Create policies
-- Administrator can see all rows and add any rows
CREATE POLICY admin_all ON passwd TO admin USING (true) WITH CHECK (true);
-- Normal users can view all rows
CREATE POLICY all_view ON passwd FOR SELECT USING (true);
-- Normal users can update their own records, but
-- limit which shells a normal user is allowed to set
CREATE POLICY user_mod ON passwd FOR UPDATE
USING (current_user = user_name)
WITH CHECK (
current_user = user_name AND
shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh')
);
-- Allow admin all normal rights
GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin;
-- Users only get select access on public columns
GRANT SELECT
(user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell)
ON passwd TO public;
-- Allow users to update certain columns
GRANT UPDATE
(pwhash, real_name, home_phone, extra_info, shell)
ON passwd TO public;</PRE
><P
> As with any security settings, it's important to test and ensure that
the system is behaving as expected. Using the example above, this
demonstrates that the permission system is working properly.
</P
><PRE
CLASS="PROGRAMLISTING"
>-- admin can view all rows and fields
postgres=> set role admin;
SET
postgres=> table passwd;
user_name | pwhash | uid | gid | real_name | home_phone | extra_info | home_dir | shell
-----------+--------+-----+-----+-----------+--------------+------------+-------------+-----------
admin | xxx | 0 | 0 | Admin | 111-222-3333 | | /root | /bin/dash
bob | xxx | 1 | 1 | Bob | 123-456-7890 | | /home/bob | /bin/zsh
alice | xxx | 2 | 1 | Alice | 098-765-4321 | | /home/alice | /bin/zsh
(3 rows)
-- Test what Alice is able to do
postgres=> set role alice;
SET
postgres=> table passwd;
ERROR: permission denied for relation passwd
postgres=> select user_name,real_name,home_phone,extra_info,home_dir,shell from passwd;
user_name | real_name | home_phone | extra_info | home_dir | shell
-----------+-----------+--------------+------------+-------------+-----------
admin | Admin | 111-222-3333 | | /root | /bin/dash
bob | Bob | 123-456-7890 | | /home/bob | /bin/zsh
alice | Alice | 098-765-4321 | | /home/alice | /bin/zsh
(3 rows)
postgres=> update passwd set user_name = 'joe';
ERROR: permission denied for relation passwd
-- Alice is allowed to change her own real_name, but no others
postgres=> update passwd set real_name = 'Alice Doe';
UPDATE 1
postgres=> update passwd set real_name = 'John Doe' where user_name = 'admin';
UPDATE 0
postgres=> update passwd set shell = '/bin/xx';
ERROR: new row violates WITH CHECK OPTION for "passwd"
postgres=> delete from passwd;
ERROR: permission denied for relation passwd
postgres=> insert into passwd (user_name) values ('xxx');
ERROR: permission denied for relation passwd
-- Alice can change her own password; RLS silently prevents updating other rows
postgres=> update passwd set pwhash = 'abc';
UPDATE 1</PRE
><P
> Referential integrity checks, such as unique or primary key constraints
and foreign key references, always bypass row security to ensure that
data integrity is maintained. Care must be taken when developing
schemas and row level policies to avoid <SPAN
CLASS="QUOTE"
>"covert channel"</SPAN
> leaks of
information through such referential integrity checks.
</P
><P
> In some contexts it is important to be sure that row security is
not being applied. For example, when taking a backup, it could be
disastrous if row security silently caused some rows to be omitted
from the backup. In such a situation, you can set the
<A
HREF="runtime-config-client.html#GUC-ROW-SECURITY"
>row_security</A
> configuration parameter
to <TT
CLASS="LITERAL"
>off</TT
>. This does not in itself bypass row security;
what it does is throw an error if any query's results would get filtered
by a policy. The reason for the error can then be investigated and
fixed.
</P
><P
> In the examples above, the policy expressions consider only the current
values in the row to be accessed or updated. This is the simplest and
best-performing case; when possible, it's best to design row security
applications to work this way. If it is necessary to consult other rows
or other tables to make a policy decision, that can be accomplished using
sub-<TT
CLASS="COMMAND"
>SELECT</TT
>s, or functions that contain <TT
CLASS="COMMAND"
>SELECT</TT
>s,
in the policy expressions. Be aware however that such accesses can
create race conditions that could allow information leakage if care is
not taken. As an example, consider the following table design:
</P
><PRE
CLASS="PROGRAMLISTING"
>-- definition of privilege groups
CREATE TABLE groups (group_id int PRIMARY KEY,
group_name text NOT NULL);
INSERT INTO groups VALUES
(1, 'low'),
(2, 'medium'),
(5, 'high');
GRANT ALL ON groups TO alice; -- alice is the administrator
GRANT SELECT ON groups TO public;
-- definition of users' privilege levels
CREATE TABLE users (user_name text PRIMARY KEY,
group_id int NOT NULL REFERENCES groups);
INSERT INTO users VALUES
('alice', 5),
('bob', 2),
('mallory', 2);
GRANT ALL ON users TO alice;
GRANT SELECT ON users TO public;
-- table holding the information to be protected
CREATE TABLE information (info text,
group_id int NOT NULL REFERENCES groups);
INSERT INTO information VALUES
('barely secret', 1),
('slightly secret', 2),
('very secret', 5);
ALTER TABLE information ENABLE ROW LEVEL SECURITY;
-- a row should be visible to/updatable by users whose security group_id is
-- greater than or equal to the row's group_id
CREATE POLICY fp_s ON information FOR SELECT
USING (group_id <= (SELECT group_id FROM users WHERE user_name = current_user));
CREATE POLICY fp_u ON information FOR UPDATE
USING (group_id <= (SELECT group_id FROM users WHERE user_name = current_user));
-- we rely only on RLS to protect the information table
GRANT ALL ON information TO public;</PRE
><P
> Now suppose that <TT
CLASS="LITERAL"
>alice</TT
> wishes to change the <SPAN
CLASS="QUOTE"
>"slightly
secret"</SPAN
> information, but decides that <TT
CLASS="LITERAL"
>mallory</TT
> should not
be trusted with the new content of that row, so she does:
</P
><PRE
CLASS="PROGRAMLISTING"
>BEGIN;
UPDATE users SET group_id = 1 WHERE user_name = 'mallory';
UPDATE information SET info = 'secret from mallory' WHERE group_id = 2;
COMMIT;</PRE
><P
> That looks safe; there is no window wherein <TT
CLASS="LITERAL"
>mallory</TT
> should be
able to see the <SPAN
CLASS="QUOTE"
>"secret from mallory"</SPAN
> string. However, there is
a race condition here. If <TT
CLASS="LITERAL"
>mallory</TT
> is concurrently doing,
say,
</P><PRE
CLASS="PROGRAMLISTING"
>SELECT * FROM information WHERE group_id = 2 FOR UPDATE;</PRE
><P>
and her transaction is in <TT
CLASS="LITERAL"
>READ COMMITTED</TT
> mode, it is possible
for her to see <SPAN
CLASS="QUOTE"
>"secret from mallory"</SPAN
>. That happens if her
transaction reaches the <TT
CLASS="STRUCTNAME"
>information</TT
> row just
after <TT
CLASS="LITERAL"
>alice</TT
>'s does. It blocks waiting
for <TT
CLASS="LITERAL"
>alice</TT
>'s transaction to commit, then fetches the updated
row contents thanks to the <TT
CLASS="LITERAL"
>FOR UPDATE</TT
> clause. However, it
does <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>not</I
></SPAN
> fetch an updated row for the
implicit <TT
CLASS="COMMAND"
>SELECT</TT
> from <TT
CLASS="STRUCTNAME"
>users</TT
>, because that
sub-<TT
CLASS="COMMAND"
>SELECT</TT
> did not have <TT
CLASS="LITERAL"
>FOR UPDATE</TT
>; instead
the <TT
CLASS="STRUCTNAME"
>users</TT
> row is read with the snapshot taken at the start
of the query. Therefore, the policy expression tests the old value
of <TT
CLASS="LITERAL"
>mallory</TT
>'s privilege level and allows her to see the
updated row.
</P
><P
> There are several ways around this problem. One simple answer is to use
<TT
CLASS="LITERAL"
>SELECT ... FOR SHARE</TT
> in sub-<TT
CLASS="COMMAND"
>SELECT</TT
>s in row
security policies. However, that requires granting <TT
CLASS="LITERAL"
>UPDATE</TT
>
privilege on the referenced table (here <TT
CLASS="STRUCTNAME"
>users</TT
>) to the
affected users, which might be undesirable. (But another row security
policy could be applied to prevent them from actually exercising that
privilege; or the sub-<TT
CLASS="COMMAND"
>SELECT</TT
> could be embedded into a security
definer function.) Also, heavy concurrent use of row share locks on the
referenced table could pose a performance problem, especially if updates
of it are frequent. Another solution, practical if updates of the
referenced table are infrequent, is to take an
<TT
CLASS="LITERAL"
>ACCESS EXCLUSIVE</TT
> lock on the
referenced table when updating it, so that no concurrent transactions
could be examining old row values. Or one could just wait for all
concurrent transactions to end after committing an update of the
referenced table and before making changes that rely on the new security
situation.
</P
><P
> For additional details see <A
HREF="sql-createpolicy.html"
>CREATE POLICY</A
>
and <A
HREF="sql-altertable.html"
>ALTER TABLE</A
>.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl-priv.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Privileges</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ddl.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Schemas</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-updates
>
by-pkgid
>
5fea23694c765462b86d6ddf74461eab
>
files
>
195
