pg_dump & RLS

Started by Eduard Catalàover 5 years ago2 messagesgeneral

eduard.catala@gmail.com

over 5 years ago

Hi all,
Sorry if this is not the appropriate list, I think so.

- ¿is posible to export using pg_dump only the rows that satisfy a rls
check?
- Of course, yes, use the --enable-row-security option in pg_dump
- Yes, but my RLS expression relies on a GUC:
CREATE POLICY my_policy ON my_table USING (company_id =
*current_setting('company_id')::int*);
Prior to starting dumping I need to set the company_id GUC into the
session, if not, there's no way to only export some rows.

Any ideas?
- Execute a command before starting the export
- Some kind of login trigger for a special user
- ...

Thank you!

Tom Lane

tgl@sss.pgh.pa.us

over 5 years ago

In reply to: Eduard Català (#1)

Re: pg_dump & RLS

=?UTF-8?Q?Eduard_Catal=C3=A0?= <eduard.catala@gmail.com> writes:

- ¿is posible to export using pg_dump only the rows that satisfy a rls
check?
- Of course, yes, use the --enable-row-security option in pg_dump
- Yes, but my RLS expression relies on a GUC:
CREATE POLICY my_policy ON my_table USING (company_id =
*current_setting('company_id')::int*);

That isn't the world's greatest design, but you should be
able to do something like

export PGOPTIONS="-c custom.company_id=42"
pg_dump ...

I kind of wonder why bother with RLS if any user can bypass it
just by changing a GUC, though. It'd be better for the policy
to check something like role membership.

regards, tom lane