我有下表:
Table "api_v1.person"
Column | Type | Modifiers
---------------+--------+-------------------------------------------------------
person_id | bigint | not null default...
name | text | not null
date_of_birth | date |
api_user | text | not null default "current_user"()
具有以下政策:
POLICY "api_user_only" FOR ALL
USING ((api_user = ("current_user"())::text))
WITH CHECK ((api_user = ("current_user"())::text))
我的理解是,策略的FOR ALL部分意味着它涵盖了插入,WITH CHECK确保插入api_user的值与当前用户相同,例如角色名称。 USING子句应仅影响SELECTS或返回的其他数据。但是,当我尝试插入时,我得到以下结果:
demo=> INSERT INTO api_v1.person (name, api_user) VALUES ('Greg', current_user);
ERROR: query would be affected by row-level security policy for table "person"
如何插入?
我正在运行PostgreSQL 9.6.8。
这是重现所需的SQL:
BEGIN;
CREATE SCHEMA api_v1;
CREATE TABLE api_v1.person (
person_id BIGSERIAL PRIMARY KEY,
"name" TEXT NOT NULL,
date_of_birth DATE,
api_user TEXT NOT NULL DEFAULT current_user
);
ALTER TABLE api_v1.person ENABLE ROW LEVEL SECURITY;
CREATE POLICY
api_user_only
ON
api_v1.person
USING
(api_user = CURRENT_USER)
WITH CHECK
(api_user = CURRENT_USER)
;
CREATE ROLE test_role;
GRANT USAGE ON SCHEMA api_v1 TO test_role;
GRANT ALL ON api_v1.person TO test_role;
GRANT USAGE ON SEQUENCE api_v1.person_person_id_seq TO test_role;
COMMIT;
SET ROLE test_role;
INSERT INTO api_v1.person ("name") VALUES ('Greg');
答案 0 :(得分:3)
postgresql.conf中有一个设置row_security。如果将此设置为off,则由行级别安全策略影响的任何查询都将失败,并显示错误:ERROR: query would be affected by row-level security policy for table "table_name"。但是,来自超级用户,表所有者(如果您不强制使用RLS)以及使用bypassrls的角色的查询将起作用。
row_security设置需要设置为on,然后需要重新启动PostgreSQL,以便针对具有行级安全策略的表处理常规用户语句。
来自源代码:
/*
* We should apply RLS. However, the user may turn off the row_security
* GUC to get a forced error instead.
*/
if (!row_security && !noError)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("query would be affected by row-level security policy for table \"%s\"",
get_rel_name(relid)),
amowner ? errhint("To disable the policy for the table's owner, use ALTER TABLE NO FORCE ROW LEVEL SECURITY.") : 0));