From 8f04c782b525315a5524dc67798f43465f7ef0c0 Mon Sep 17 00:00:00 2001 From: Christoph Heiss Date: Wed, 2 Feb 2022 18:11:47 +0100 Subject: [PATCH v4 3/3] Add documentation for new security_invoker reloption on views Signed-off-by: Christoph Heiss --- doc/src/sgml/ref/alter_view.sgml | 10 +++++++ doc/src/sgml/ref/create_view.sgml | 43 ++++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/doc/src/sgml/ref/alter_view.sgml b/doc/src/sgml/ref/alter_view.sgml index 98c312c5bf..cb9df185e2 100644 --- a/doc/src/sgml/ref/alter_view.sgml +++ b/doc/src/sgml/ref/alter_view.sgml @@ -161,6 +161,16 @@ ALTER VIEW [ IF EXISTS ] name RESET + + security_invoker (boolean) + + + Changes the security-invoker property of the view. The value must + be Boolean value, such as true + or false. + + + diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml index bf03287592..33d4fde6fc 100644 --- a/doc/src/sgml/ref/create_view.sgml +++ b/doc/src/sgml/ref/create_view.sgml @@ -137,8 +137,6 @@ CREATE VIEW [ schema . ] view_namelocal or cascaded, and is equivalent to specifying WITH [ CASCADED | LOCAL ] CHECK OPTION (see below). - This option can be changed on existing views using ALTER VIEW. @@ -152,7 +150,22 @@ CREATE VIEW [ schema . ] view_name - + + + security_invoker (boolean) + + + If this option is set, it will cause all access to the underlying + tables to be checked as referenced by the invoking user, rather than + the view owner. + + + + + + All of the above options can be changed on existing views using ALTER VIEW. + @@ -265,13 +278,23 @@ CREATE VIEW vista AS SELECT text 'Hello World' AS hello; - Access to tables referenced in the view is determined by permissions of - the view owner. In some cases, this can be used to provide secure but - restricted access to the underlying tables. However, not all views are - secure against tampering; see for - details. Functions called in the view are treated the same as if they had - been called directly from the query using the view. Therefore the user of - a view must have permissions to call all functions used by the view. + By default, access to tables referenced in the view is determined by + permissions of the view owner. In some cases, this can be used to provide + secure but restricted access to the underlying tables. However, not all + views are secure against tampering; see + for details. Functions called in the view are treated the same as if they + had been called directly from the query using the view. Therefore the user + of a view must have permissions to call all functions used by the view. + + + + If the security_invoker option is set on the view, + access to tables is determined by permissions of the invoking user, rather + than the view owner. This can be used to provide stricter permission + checking to the underlying tables than by default. Policies defined on the + underlying tables are then also checked against the invoking user when + row-level security is enabled on + these tables. -- 2.35.1