Extend CREATE POLICY to add IF EXISTS

I forgot DROP POLICY already has IF EXISTS

From: Paul Austin <paul.austin@automutatio.com>
Sent: October 20, 2025 2:46 PM
To: pgsql-general@lists.postgresql.org
Subject: Extend CREATE POLICY to add IF EXISTS

Many (but not all) DDL statements use the pattern IF EXISTS or IF NOT EXISTS. This is really useful if you want to create a re-start-able data model update script without needing to have PL/pgSQL blocks that has checks to see if it exists.

An example of a statement that doesn't implement this pattern in the CREATE POLICY statement.

Is there a plan to add this pattern to the rest of the DDL statements? Or could it be added to the CREATE/DROP POLICY statements?

Thanks,
Paul

On 10/20/25 14:49, Paul Austin wrote:

I forgot DROP POLICY already has IF EXISTS

I take it that works for you?

*From:*Paul Austin <paul.austin@automutatio.com>
*Sent:* October 20, 2025 2:46 PM
*To:* pgsql-general@lists.postgresql.org
*Subject:* Extend CREATE POLICY to add IF EXISTS

Many (but not all) DDL statements use the pattern IF EXISTS or IF NOT
EXISTS. This is really useful if you want to create a re-start-able data
model update script without needing to have PL/pgSQL blocks that has
checks to see if it exists.

An example of a statement that doesn’t implement this pattern in the
CREATE POLICY statement.

Is there a plan to add this pattern to the rest of the DDL statements?
Or could it be added to the CREATE/DROP POLICY statements?

Thanks,

Paul

--
Adrian Klaver
adrian.klaver@aklaver.com

Adrian,

The drop policy IF EXISTS does work.

But it would be nice to have the IF NOT EXISTS on CREATE POLICY so I don't need to do a drop and create.

________________________________
From: Adrian Klaver <adrian.klaver@aklaver.com>
Sent: October 20, 2025 14:51
To: Paul Austin <paul.austin@automutatio.com>; pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: Extend CREATE POLICY to add IF EXISTS

On 10/20/25 14:49, Paul Austin wrote:

I forgot DROP POLICY already has IF EXISTS

I take it that works for you?

*From:*Paul Austin <paul.austin@automutatio.com>
*Sent:* October 20, 2025 2:46 PM
*To:* pgsql-general@lists.postgresql.org
*Subject:* Extend CREATE POLICY to add IF EXISTS

Many (but not all) DDL statements use the pattern IF EXISTS or IF NOT
EXISTS. This is really useful if you want to create a re-start-able data
model update script without needing to have PL/pgSQL blocks that has
checks to see if it exists.

An example of a statement that doesn’t implement this pattern in the
CREATE POLICY statement.

Is there a plan to add this pattern to the rest of the DDL statements?
Or could it be added to the CREATE/DROP POLICY statements?

Thanks,

Paul

--
Adrian Klaver
adrian.klaver@aklaver.com

On 2025-Oct-20, Paul Austin wrote:

Adrian,

The drop policy IF EXISTS does work.

But it would be nice to have the IF NOT EXISTS on CREATE POLICY so I
don't need to do a drop and create.

How would CREATE IF NOT EXISTS handle the case of an existing policy
that doesn't match the one you want? I think it would just silently not
do anything, and in that case you can't really rely on it, can you? So
your script would have to extract the current policy, compare with the
one you want (how?) and then maybe drop it and create it anew, or leave
it alone. Is this really useful?

I think what you'd really appreciate is CREATE OR REPLACE: if the
policy exists and matches the one you ask for, then don't do anything;
but otherwise throw it away and create it anew. We have this for views,
and it allows for things like adding more columns than the original view
had.

BTW, the pattern DROP IF EXISTS / CREATE is a bit nasty, because there
exists a period in between where no policy exists, which could be a
security hole. Unless you use an explicit transaction block.

--
Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/
"I love the Postgres community. It's all about doing things _properly_. :-)"
(David Garamond)

Álvaro,

Yes, a CREATE OR REPLACE would also be useful.

However, the CREATE IF NOT EXISTS is also useful when you aren't concerned that the POLICY is going to change. Same with the existing CREATE TABLE IF NOT EXISTS.

Yes I'm aware that the DROP/CREATE can create a security hole, which is why I'd like the IF NOT EXISTS. At the moment my use case stops the application prior to running this script and the database is in a private network.

-----Original Message-----
From: Álvaro Herrera <alvherre@kurilemu.de>
Sent: October 21, 2025 12:23 AM
To: Paul Austin <paul.austin@automutatio.com>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Extend CREATE POLICY to add IF EXISTS

On 2025-Oct-20, Paul Austin wrote:

Adrian,

The drop policy IF EXISTS does work.

But it would be nice to have the IF NOT EXISTS on CREATE POLICY so I
don't need to do a drop and create.

How would CREATE IF NOT EXISTS handle the case of an existing policy that doesn't match the one you want? I think it would just silently not do anything, and in that case you can't really rely on it, can you? So your script would have to extract the current policy, compare with the one you want (how?) and then maybe drop it and create it anew, or leave it alone. Is this really useful?

I think what you'd really appreciate is CREATE OR REPLACE: if the policy exists and matches the one you ask for, then don't do anything; but otherwise throw it away and create it anew. We have this for views, and it allows for things like adding more columns than the original view had.

BTW, the pattern DROP IF EXISTS / CREATE is a bit nasty, because there exists a period in between where no policy exists, which could be a security hole. Unless you use an explicit transaction block.

--
Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/
"I love the Postgres community. It's all about doing things _properly_. :-)"
(David Garamond)

Doesn't CREATE OR REPLACE have limitations based on parameter-list changes?

On Tue, Oct 21, 2025 at 10:08 AM Paul Austin <paul.austin@automutatio.com>
wrote:

Álvaro,

Yes, a CREATE OR REPLACE would also be useful.

However, the CREATE IF NOT EXISTS is also useful when you aren't concerned
that the POLICY is going to change. Same with the existing CREATE TABLE IF
NOT EXISTS.

Yes I'm aware that the DROP/CREATE can create a security hole, which is
why I'd like the IF NOT EXISTS. At the moment my use case stops the
application prior to running this script and the database is in a private
network.

-----Original Message-----
From: Álvaro Herrera <alvherre@kurilemu.de>
Sent: October 21, 2025 12:23 AM
To: Paul Austin <paul.austin@automutatio.com>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Extend CREATE POLICY to add IF EXISTS

On 2025-Oct-20, Paul Austin wrote:

Adrian,

The drop policy IF EXISTS does work.

But it would be nice to have the IF NOT EXISTS on CREATE POLICY so I
don't need to do a drop and create.

How would CREATE IF NOT EXISTS handle the case of an existing policy that
doesn't match the one you want? I think it would just silently not do
anything, and in that case you can't really rely on it, can you? So your
script would have to extract the current policy, compare with the one you
want (how?) and then maybe drop it and create it anew, or leave it alone.
Is this really useful?

I think what you'd really appreciate is CREATE OR REPLACE: if the policy
exists and matches the one you ask for, then don't do anything; but
otherwise throw it away and create it anew. We have this for views, and it
allows for things like adding more columns than the original view had.

BTW, the pattern DROP IF EXISTS / CREATE is a bit nasty, because there
exists a period in between where no policy exists, which could be a
security hole. Unless you use an explicit transaction block.

--
Álvaro Herrera Breisgau, Deutschland —
https://www.EnterpriseDB.com/
"I love the Postgres community. It's all about doing things _properly_.
:-)"
(David Garamond)

--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!