Row Level Security Policies documentation doesn't mention lack of support for views
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.6/static/ddl-rowsecurity.html
Description:
The policy documentation page is great, and the example in it is very
informative, but I just discovered a major flaw in our implementation of it
that I would like to see mentioned in the documentation.
If you create a view on a table, any queries against the view are in the
context of the view creator rather than the actual current user.
So, in the example on the page, if the admin creates a view of the passwd
table and grants access to this view, alice would no longer be subject to
any of the RLS policies as long as she used the view instead of the real
table.
--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
Stephen, is there anything missing in our docs related this issue?
---------------------------------------------------------------------------
On Thu, Jun 29, 2017 at 02:25:11PM +0000, deinspanjer@gmail.com wrote:
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.6/static/ddl-rowsecurity.html
Description:The policy documentation page is great, and the example in it is very
informative, but I just discovered a major flaw in our implementation of it
that I would like to see mentioned in the documentation.If you create a view on a table, any queries against the view are in the
context of the view creator rather than the actual current user.So, in the example on the page, if the admin creates a view of the passwd
table and grants access to this view, alice would no longer be subject to
any of the RLS policies as long as she used the view instead of the real
table.--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
The CREATE VIEW documentation links to
https://www.postgresql.org/docs/9.6/static/rules-privileges.html
which covers this dynamic in considerable detail (and there is a blurb on
the CREATE VIEW page as well), and specifically:
"Relations that are used due to rules get checked against the privileges of
the rule owner, not the user invoking the rule."
It does feel like an additional blurb about views and a link to the above
page would be warranted on the ddl-rowsecurity.html page.
David J.
On Wed, Aug 30, 2017 at 5:09 PM, Bruce Momjian <bruce@momjian.us> wrote:
Show quoted text
Stephen, is there anything missing in our docs related this issue?
------------------------------------------------------------
---------------On Thu, Jun 29, 2017 at 02:25:11PM +0000, deinspanjer@gmail.com wrote:
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.6/static/ddl-rowsecurity.html
Description:The policy documentation page is great, and the example in it is very
informative, but I just discovered a major flaw in our implementation ofit
that I would like to see mentioned in the documentation.
If you create a view on a table, any queries against the view are in the
context of the view creator rather than the actual current user.So, in the example on the page, if the admin creates a view of the passwd
table and grants access to this view, alice would no longer be subject to
any of the RLS policies as long as she used the view instead of the real
table.--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com+ As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
David, Bruce,
* David G. Johnston (david.g.johnston@gmail.com) wrote:
The CREATE VIEW documentation links to
https://www.postgresql.org/docs/9.6/static/rules-privileges.html
which covers this dynamic in considerable detail (and there is a blurb on
the CREATE VIEW page as well), and specifically:"Relations that are used due to rules get checked against the privileges of
the rule owner, not the user invoking the rule."It does feel like an additional blurb about views and a link to the above
page would be warranted on the ddl-rowsecurity.html page.
I tend to agree, almost always, that additional documentation is a
benefit. The only drawback to it is that, sometimes, we end up saying
the same thing too much and that leads to readers skipping past
important sections.
I do think we need to provide more documentation around how views and
our privilege system work as I find that the question comes up somewhat
regularly. Note that this isn't RLS specific, but applies to both the
GRANT system and RLS- views are executed as the user of the view and not
with the privileges of the view user.
I can certainly try to help with crafting additional documentation
around this once I'm back from PostgresOpen in San Francisco next week.
Thanks!
Stephen