2 * rewrite/rowsecurity.c
3 * Routines to support policies for row-level security (aka RLS).
5 * Policies in PostgreSQL provide a mechanism to limit what records are
6 * returned to a user and what records a user is permitted to add to a table.
8 * Policies can be defined for specific roles, specific commands, or provided
9 * by an extension. Row security can also be enabled for a table without any
10 * policies being explicitly defined, in which case a default-deny policy is
13 * Any part of the system which is returning records back to the user, or
14 * which is accepting records from the user to add to a table, needs to
15 * consider the policies associated with the table (if any). For normal
16 * queries, this is handled by calling get_row_security_policies() during
17 * rewrite, for each RTE in the query. This returns the expressions defined
18 * by the table's policies as a list that is prepended to the securityQuals
19 * list for the RTE. For queries which modify the table, any WITH CHECK
20 * clauses from the table's policies are also returned and prepended to the
21 * list of WithCheckOptions for the Query to check each row that is being
22 * added to the table. Other parts of the system (eg: COPY) simply construct
23 * a normal query and use that, if RLS is to be applied.
25 * The check to see if RLS should be enabled is provided through
26 * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27 * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28 * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29 * in the current environment, but that may change if the row_security GUC or
30 * the current role changes.
32 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
33 * Portions Copyright (c) 1994, Regents of the University of California
53 List **permissive_policies,
54 List **restrictive_policies);
61 List *permissive_policies,
62 List *restrictive_policies,
69 List *permissive_policies,
70 List *restrictive_policies,
71 List **withCheckOptions,
78 * hooks to allow extensions to add their own security policies
80 * row_security_policy_hook_permissive can be used to add policies which
81 * are combined with the other permissive policies, using OR.
83 * row_security_policy_hook_restrictive can be used to add policies which
84 * are enforced, regardless of other policies (they are combined using AND).
90 * Get any row security quals and WithCheckOption checks that should be
91 * applied to the specified RTE.
93 * In addition, hasRowSecurity is set to true if row-level security is enabled
94 * (even if this RTE doesn't have any row security quals), and hasSubLinks is
95 * set to true if any of the quals returned contain sublinks.
99 List **securityQuals,
List **withCheckOptions,
100 bool *hasRowSecurity,
bool *hasSubLinks)
106 List *permissive_policies;
107 List *restrictive_policies;
110 /* Defaults for the return values */
111 *securityQuals =
NIL;
112 *withCheckOptions =
NIL;
113 *hasRowSecurity =
false;
114 *hasSubLinks =
false;
118 /* If this is not a normal relation, just return immediately */
119 if (rte->relkind != RELKIND_RELATION &&
120 rte->relkind != RELKIND_PARTITIONED_TABLE)
125 /* Switch to checkAsUser if it's set */
129 /* Determine the state of RLS for this, pass checkAsUser explicitly */
132 /* If there is no RLS on this table at all, nothing to do */
137 * RLS_NONE_ENV means we are not doing any RLS now, but that may change
138 * with changes to the environment, so we mark it as hasRowSecurity to
139 * force a re-plan when the environment changes.
144 * Indicate that this query may involve RLS and must therefore be
145 * replanned if the environment changes (GUCs, role), but we are not
146 * adding anything here.
148 *hasRowSecurity =
true;
154 * RLS is enabled for this relation.
156 * Get the security policies that should be applied, based on the command
157 * type. Note that if this isn't the target relation, we actually want
158 * the relation's SELECT policies, regardless of the query command type,
159 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
160 * policies and t2's SELECT policies.
164 commandType = rt_index ==
root->resultRelation ?
168 * In some cases, we need to apply USING policies (which control the
169 * visibility of records) associated with multiple command types (see
170 * specific cases below).
172 * When considering the order in which to apply these USING policies, we
173 * prefer to apply higher privileged policies, those which allow the user
174 * to lock records (UPDATE and DELETE), first, followed by policies which
177 * Note that the optimizer is free to push down and reorder quals which
178 * use leakproof functions.
180 * In all cases, if there are no policy clauses allowing access to rows in
181 * the table for the specific type of operation, then a single
182 * always-false clause (a default-deny policy) will be added (see
183 * add_security_quals).
187 * For a SELECT, if UPDATE privileges are required (eg: the user has
188 * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
191 * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
192 * which the user does not have access to via the UPDATE USING policies,
193 * similar to how we require normal UPDATE rights for these queries.
197 List *update_permissive_policies;
198 List *update_restrictive_policies;
201 &update_permissive_policies,
202 &update_restrictive_policies);
205 update_permissive_policies,
206 update_restrictive_policies,
212 * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
213 * policies. These security quals control access to existing table rows.
214 * Restrictive policies are combined together using AND, and permissive
215 * policies are combined together using OR.
219 &restrictive_policies);
226 restrictive_policies,
231 * Similar to above, during an UPDATE, DELETE, or MERGE, if SELECT rights
232 * are also required (eg: when a RETURNING clause exists, or the user has
233 * provided a WHERE clause which involves columns from the relation), we
234 * collect up CMD_SELECT policies and add them via add_security_quals
237 * This way, we filter out any records which are not visible through an
238 * ALL or SELECT USING policy.
244 List *select_permissive_policies;
245 List *select_restrictive_policies;
248 &select_permissive_policies,
249 &select_restrictive_policies);
252 select_permissive_policies,
253 select_restrictive_policies,
259 * For INSERT and UPDATE, add withCheckOptions to verify that any new
260 * records added are consistent with the security policies. This will use
261 * each policy's WITH CHECK clause, or its USING clause if no explicit
262 * WITH CHECK clause is defined.
266 /* This should be the target relation */
273 restrictive_policies,
279 * Get and add ALL/SELECT policies, if SELECT rights are required for
280 * this relation (eg: when RETURNING is used). These are added as WCO
281 * policies rather than security quals to ensure that an error is
282 * raised if a policy is violated; otherwise, we might end up silently
283 * dropping rows to be added.
287 List *select_permissive_policies =
NIL;
288 List *select_restrictive_policies =
NIL;
291 &select_permissive_policies,
292 &select_restrictive_policies);
296 select_permissive_policies,
297 select_restrictive_policies,
304 * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
305 * checks for the UPDATE which may be applied to the same RTE.
310 List *conflict_permissive_policies;
311 List *conflict_restrictive_policies;
312 List *conflict_select_permissive_policies =
NIL;
313 List *conflict_select_restrictive_policies =
NIL;
315 /* Get the policies that apply to the auxiliary UPDATE */
317 &conflict_permissive_policies,
318 &conflict_restrictive_policies);
321 * Enforce the USING clauses of the UPDATE policies using WCOs
322 * rather than security quals. This ensures that an error is
323 * raised if the conflicting row cannot be updated due to RLS,
324 * rather than the change being silently dropped.
328 conflict_permissive_policies,
329 conflict_restrictive_policies,
335 * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
336 * to ensure they are considered when taking the UPDATE path of an
337 * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
338 * for this relation, also as WCO policies, again, to avoid
339 * silently dropping data. See above.
344 &conflict_select_permissive_policies,
345 &conflict_select_restrictive_policies);
348 conflict_select_permissive_policies,
349 conflict_select_restrictive_policies,
355 /* Enforce the WITH CHECK clauses of the UPDATE policies */
358 conflict_permissive_policies,
359 conflict_restrictive_policies,
365 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
366 * that the final updated row is visible when taking the UPDATE
367 * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights
368 * are required for this relation.
373 conflict_select_permissive_policies,
374 conflict_select_restrictive_policies,
382 * FOR MERGE, we fetch policies for UPDATE, DELETE and INSERT (and ALL)
383 * and set them up so that we can enforce the appropriate policy depending
384 * on the final action we take.
386 * We already fetched the SELECT policies above, to check existing rows,
387 * but we must also check that new rows created by INSERT/UPDATE actions
388 * are visible, if SELECT rights are required. For INSERT actions, we only
389 * do this if RETURNING is specified, to be consistent with a plain INSERT
390 * command, which can only require SELECT rights when RETURNING is used.
392 * We don't push the UPDATE/DELETE USING quals to the RTE because we don't
393 * really want to apply them while scanning the relation since we don't
394 * know whether we will be doing an UPDATE or a DELETE at the end. We
395 * apply the respective policy once we decide the final action on the
398 * XXX We are setting up USING quals as WITH CHECK. If RLS prohibits
399 * UPDATE/DELETE on the target row, we shall throw an error instead of
400 * silently ignoring the row. This is different than how normal
401 * UPDATE/DELETE works and more in line with INSERT ON CONFLICT DO UPDATE
406 List *merge_update_permissive_policies;
407 List *merge_update_restrictive_policies;
408 List *merge_delete_permissive_policies;
409 List *merge_delete_restrictive_policies;
410 List *merge_insert_permissive_policies;
411 List *merge_insert_restrictive_policies;
412 List *merge_select_permissive_policies =
NIL;
413 List *merge_select_restrictive_policies =
NIL;
416 * Fetch the UPDATE policies and set them up to execute on the
417 * existing target row before doing UPDATE.
420 &merge_update_permissive_policies,
421 &merge_update_restrictive_policies);
424 * WCO_RLS_MERGE_UPDATE_CHECK is used to check UPDATE USING quals on
425 * the existing target row.
429 merge_update_permissive_policies,
430 merge_update_restrictive_policies,
435 /* Enforce the WITH CHECK clauses of the UPDATE policies */
438 merge_update_permissive_policies,
439 merge_update_restrictive_policies,
445 * Add ALL/SELECT policies as WCO_RLS_UPDATE_CHECK WCOs, to ensure
446 * that the updated row is visible when executing an UPDATE action, if
447 * SELECT rights are required for this relation.
452 &merge_select_permissive_policies,
453 &merge_select_restrictive_policies);
456 merge_select_permissive_policies,
457 merge_select_restrictive_policies,
464 * Fetch the DELETE policies and set them up to execute on the
465 * existing target row before doing DELETE.
468 &merge_delete_permissive_policies,
469 &merge_delete_restrictive_policies);
472 * WCO_RLS_MERGE_DELETE_CHECK is used to check DELETE USING quals on
473 * the existing target row.
477 merge_delete_permissive_policies,
478 merge_delete_restrictive_policies,
484 * No special handling is required for INSERT policies. They will be
485 * checked and enforced during ExecInsert(). But we must add them to
489 &merge_insert_permissive_policies,
490 &merge_insert_restrictive_policies);
494 merge_insert_permissive_policies,
495 merge_insert_restrictive_policies,
501 * Add ALL/SELECT policies as WCO_RLS_INSERT_CHECK WCOs, to ensure
502 * that the inserted row is visible when executing an INSERT action,
503 * if RETURNING is specified and SELECT rights are required for this
509 merge_select_permissive_policies,
510 merge_select_restrictive_policies,
519 * Copy checkAsUser to the row security quals and WithCheckOption checks,
520 * in case they contain any subqueries referring to other relations.
526 * Mark this query as having row security, so plancache can invalidate it
527 * when necessary (eg: role changes)
529 *hasRowSecurity =
true;
533 * get_policies_for_relation
535 * Returns lists of permissive and restrictive policies to be applied to the
536 * specified relation, based on the command type and role.
538 * This includes any policies added by extensions.
542 List **permissive_policies,
543 List **restrictive_policies)
547 *permissive_policies =
NIL;
548 *restrictive_policies =
NIL;
550 /* First find all internal policies for the relation. */
553 bool cmd_matches =
false;
556 /* Always add ALL policies, if they exist. */
557 if (policy->
polcmd ==
'*')
561 /* Check whether the policy applies to the specified command type */
583 * We do not support a separate policy for MERGE command.
584 * Instead it derives from the policies defined for other
589 elog(
ERROR,
"unrecognized policy command type %d",
596 * Add this policy to the relevant list of policies if it applies to
597 * the specified role.
602 *permissive_policies =
lappend(*permissive_policies, policy);
604 *restrictive_policies =
lappend(*restrictive_policies, policy);
609 * We sort restrictive policies by name so that any WCOs they generate are
610 * checked in a well-defined order.
615 * Then add any permissive or restrictive policies defined by extensions.
616 * These are simply appended to the lists of internal policies, if they
617 * apply to the specified role.
621 List *hook_policies =
622 (*row_security_policy_hook_restrictive) (cmd, relation);
625 * As with built-in restrictive policies, we sort any hook-provided
626 * restrictive policies by name also. Note that we also intentionally
627 * always check all built-in restrictive policies, in name order,
628 * before checking restrictive policies added by hooks, in name order.
632 foreach(item, hook_policies)
637 *restrictive_policies =
lappend(*restrictive_policies, policy);
643 List *hook_policies =
644 (*row_security_policy_hook_permissive) (cmd, relation);
646 foreach(item, hook_policies)
651 *permissive_policies =
lappend(*permissive_policies, policy);
657 * sort_policies_by_name
659 * This is only used for restrictive policies, ensuring that any
660 * WithCheckOptions they generate are applied in a well-defined order.
661 * This is not necessary for permissive policies, since they are all combined
662 * together using OR into a single WithCheckOption check.
671 * list_sort comparator to sort RowSecurityPolicy entries by name
679 /* Guard against NULL policy names from extensions */
691 * Add security quals to enforce the specified RLS policies, restricting
692 * access to existing data in a table. If there are no policies controlling
693 * access to the table, then all access is prohibited --- i.e., an implicit
694 * default-deny policy is used.
696 * New security quals are added to securityQuals, and hasSubLinks is set to
697 * true if any of the quals added contain sublink subqueries.
701 List *permissive_policies,
702 List *restrictive_policies,
703 List **securityQuals,
711 * First collect up the permissive quals. If we do not find any
712 * permissive policies then no rows are visible (this is handled below).
714 foreach(item, permissive_policies)
718 if (policy->
qual != NULL)
720 permissive_quals =
lappend(permissive_quals,
727 * We must have permissive quals, always, or no rows are visible.
729 * If we do not, then we simply return a single 'false' qual which results
730 * in no rows being visible.
732 if (permissive_quals !=
NIL)
735 * We now know that permissive policies exist, so we can now add
736 * security quals based on the USING clauses from the restrictive
737 * policies. Since these need to be combined together using AND, we
738 * can just add them one at a time.
740 foreach(item, restrictive_policies)
745 if (policy->
qual != NULL)
756 * Then add a single security qual combining together the USING
757 * clauses from all the permissive policies using OR.
770 * A permissive policy must exist for rows to be visible at all.
771 * Therefore, if there were no permissive policies found, return a
772 * single always-false clause.
774 *securityQuals =
lappend(*securityQuals,
781 * add_with_check_options
783 * Add WithCheckOptions of the specified kind to check that new records
784 * added by an INSERT or UPDATE are consistent with the specified RLS
785 * policies. Normally new data must satisfy the WITH CHECK clauses from the
786 * policies. If a policy has no explicit WITH CHECK clause, its USING clause
787 * is used instead. In the special case of an UPDATE arising from an
788 * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
789 * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
790 * clauses from RLS policies.
792 * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
793 * any of the check clauses added contain sublink subqueries.
799 List *permissive_policies,
800 List *restrictive_policies,
801 List **withCheckOptions,
808#define QUAL_FOR_WCO(policy) \
810 (policy)->with_check_qual != NULL ? \
811 (policy)->with_check_qual : (policy)->qual )
814 * First collect up the permissive policy clauses, similar to
815 * add_security_quals.
817 foreach(item, permissive_policies)
830 * There must be at least one permissive qual found or no rows are allowed
831 * to be added. This is the same as in add_security_quals.
833 * If there are no permissive_quals then we fall through and return a
834 * single 'false' WCO, preventing all new rows.
836 if (permissive_quals !=
NIL)
839 * Add a single WithCheckOption for all the permissive policy clauses,
840 * combining them together using OR. This check has no policy name,
841 * since if the check fails it means that no policy granted permission
842 * to perform the update, rather than any particular policy being
863 * Now add WithCheckOptions for each of the restrictive policy clauses
864 * (which will be combined together using AND). We use a separate
865 * WithCheckOption for each restrictive policy to allow the policy
866 * name to be included in error reports if the policy is violated.
868 foreach(item, restrictive_policies)
893 * If there were no policy clauses to check new data, add a single
894 * always-false WCO (a default-deny policy).
907 *withCheckOptions =
lappend(*withCheckOptions, wco);
912 * check_role_for_policy -
913 * determines if the policy should be applied for the current role
921 /* Quick fall-thru for policies applied to all roles */
bool has_privs_of_role(Oid member, Oid role)
#define OidIsValid(objectId)
Assert(PointerIsAligned(start, uint64))
List * lappend(List *list, void *datum)
void list_sort(List *list, list_sort_comparator cmp)
List * list_append_unique(List *list, void *datum)
Expr * makeBoolExpr(BoolExprType boolop, List *args, int location)
Const * makeConst(Oid consttype, int32 consttypmod, Oid constcollid, int constlen, Datum constvalue, bool constisnull, bool constbyval)
char * pstrdup(const char *in)
RTEPermissionInfo * getRTEPermissionInfo(List *rteperminfos, RangeTblEntry *rte)
@ WCO_RLS_MERGE_UPDATE_CHECK
@ WCO_RLS_MERGE_DELETE_CHECK
static int list_length(const List *l)
static Datum BoolGetDatum(bool X)
#define RelationGetRelationName(relation)
void setRuleCheckAsUser(Node *node, Oid userid)
void ChangeVarNodes(Node *node, int rt_index, int new_index, int sublevels_up)
int check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
row_security_policy_hook_type row_security_policy_hook_permissive
void get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, List **securityQuals, List **withCheckOptions, bool *hasRowSecurity, bool *hasSubLinks)
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id)
row_security_policy_hook_type row_security_policy_hook_restrictive
#define QUAL_FOR_WCO(policy)
static void sort_policies_by_name(List *policies)
static void add_with_check_options(Relation rel, int rt_index, WCOKind kind, List *permissive_policies, List *restrictive_policies, List **withCheckOptions, bool *hasSubLinks, bool force_using)
static void get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id, List **permissive_policies, List **restrictive_policies)
static int row_security_policy_cmp(const ListCell *a, const ListCell *b)
static void add_security_quals(int rt_index, List *permissive_policies, List *restrictive_policies, List **securityQuals, bool *hasSubLinks)
List *(* row_security_policy_hook_type)(CmdType cmdtype, Relation relation)
struct RowSecurityDesc * rd_rsdesc
void table_close(Relation relation, LOCKMODE lockmode)
Relation table_open(Oid relationId, LOCKMODE lockmode)