diff options
| author | Stephen Frost <sfrost@snowman.net> | 2016-12-05 15:50:55 -0500 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2016-12-05 15:50:55 -0500 |
| commit | 093129c9d9fc231649b3cc27b8086443ccbbbc22 (patch) | |
| tree | 5e41352a48f7a33a68687623da2fb48dce9b9174 /src/backend/parser | |
| parent | 2bbdc6875d03bb826a4fd113eac45a72c68bc929 (diff) | |
| download | postgresql-093129c9d9fc231649b3cc27b8086443ccbbbc22.tar.gz postgresql-093129c9d9fc231649b3cc27b8086443ccbbbc22.zip | |
Add support for restrictive RLS policies
We have had support for restrictive RLS policies since 9.5, but they
were only available through extensions which use the appropriate hooks.
This adds support into the grammer, catalog, psql and pg_dump for
restrictive RLS policies, thus reducing the cases where an extension is
necessary.
In passing, also move away from using "AND"d and "OR"d in comments.
As pointed out by Alvaro, it's not really appropriate to attempt
to make verbs out of "AND" and "OR", so reword those comments which
attempted to.
Reviewed By: Jeevan Chalke, Dean Rasheed
Discussion: https://postgr.es/m/20160901063404.GY4028@tamriel.snowman.net
Diffstat (limited to 'src/backend/parser')
| -rw-r--r-- | src/backend/parser/gram.y | 43 |
1 files changed, 33 insertions, 10 deletions
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y index d6274b49e7f..414348b95b4 100644 --- a/src/backend/parser/gram.y +++ b/src/backend/parser/gram.y @@ -332,6 +332,7 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query); %type <str> all_Op MathOp %type <str> row_security_cmd RowSecurityDefaultForCmd +%type <boolean> RowSecurityDefaultPermissive %type <node> RowSecurityOptionalWithCheck RowSecurityOptionalExpr %type <list> RowSecurityDefaultToRole RowSecurityOptionalToRole @@ -4628,26 +4629,30 @@ AlterUserMappingStmt: ALTER USER MAPPING FOR auth_ident SERVER name alter_generi /***************************************************************************** * * QUERIES: - * CREATE POLICY name ON table [FOR cmd] [TO role, ...] - * [USING (qual)] [WITH CHECK (with_check)] + * CREATE POLICY name ON table + * [AS { PERMISSIVE | RESTRICTIVE } ] + * [FOR { SELECT | INSERT | UPDATE | DELETE } ] + * [TO role, ...] + * [USING (qual)] [WITH CHECK (with check qual)] * ALTER POLICY name ON table [TO role, ...] - * [USING (qual)] [WITH CHECK (with_check)] + * [USING (qual)] [WITH CHECK (with check qual)] * DROP POLICY name ON table * *****************************************************************************/ CreatePolicyStmt: - CREATE POLICY name ON qualified_name RowSecurityDefaultForCmd - RowSecurityDefaultToRole RowSecurityOptionalExpr - RowSecurityOptionalWithCheck + CREATE POLICY name ON qualified_name RowSecurityDefaultPermissive + RowSecurityDefaultForCmd RowSecurityDefaultToRole + RowSecurityOptionalExpr RowSecurityOptionalWithCheck { CreatePolicyStmt *n = makeNode(CreatePolicyStmt); n->policy_name = $3; n->table = $5; - n->cmd_name = $6; - n->roles = $7; - n->qual = $8; - n->with_check = $9; + n->permissive = $6; + n->cmd_name = $7; + n->roles = $8; + n->qual = $9; + n->with_check = $10; $$ = (Node *) n; } ; @@ -4711,6 +4716,24 @@ RowSecurityOptionalToRole: | /* EMPTY */ { $$ = NULL; } ; +RowSecurityDefaultPermissive: + AS IDENT + { + if (strcmp($2, "permissive") == 0) + $$ = true; + else if (strcmp($2, "restrictive") == 0) + $$ = false; + else + ereport(ERROR, + (errcode(ERRCODE_SYNTAX_ERROR), + errmsg("unrecognized row security option \"%s\"", $2), + errhint("Only PERMISSIVE or RESTRICTIVE policies are supported currently."), + parser_errposition(@2))); + + } + | /* EMPTY */ { $$ = true; } + ; + RowSecurityDefaultForCmd: FOR row_security_cmd { $$ = $2; } | /* EMPTY */ { $$ = "all"; } |