sql: added support for row level security to pg_policy #141991
Conversation
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR? 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
|
This change is |
Dedej-Bergin
force-pushed
the
vtable-rls
branch
5 times, most recently
from
ca3a717 to
1278591
Compare
Previously the `pg_policy` table was unimplemented. With these code changes the table is now populated accordingly, like its postgres equivalent: `https://www.postgresql.org/docs/17/catalog-pg-policy.html` Epic: CRDB-45205 Fixes: cockroachdb#136702 Release note: None
Dedej-Bergin
force-pushed
the
vtable-rls
branch
from
1278591 to
6057dea
Compare
There was a problem hiding this comment.
Reviewed 4 of 4 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @Dedej-Bergin)
pkg/sql/logictest/testdata/logic_test/row_level_security line 0 at r1 (raw file):
Can we have a tests that uses a filter with pg_policy to select the policies for one table when policies exists for multiple tables?
pkg/sql/logictest/testdata/logic_test/row_level_security line 119 at r1 (raw file):
statement ok CREATE POLICY "policy1" ON multi_pol_tab1 AS PERMISSIVE
Were these policy names renamed so that they can be returned via pg_policy?
pkg/sql/logictest/testdata/logic_test/row_level_security line 162 at r1 (raw file):
query ITIBTTT colnames,rowsort select oid::INT, polname, polrelid::INT, polpermissive, polroles::string, polqual, polwithcheck from pg_catalog.pg_policy
Can we query the polcmd column?
pkg/sql/pg_catalog.go line 4238 at r1 (raw file):
} var pgCatalogPolicyTable = makeAllRelationsVirtualTableWithDescriptorIDIndex(
To utilize the index, we likely need to define one on the pg_policy table. I believe adding an INDEX(polrelid) to its definition will create the index, allowing us to filter pg_policy by the table OID and read only that table's descriptor.
pkg/sql/pg_catalog.go line 4249 at r1 (raw file):
// get the policy command and convert it to postgres equivalent var cmd string switch policy.Command.String() {
nit: can we just compare on the enum type rather than checking for a hard coded string value?
pkg/sql/pg_catalog.go line 4261 at r1 (raw file):
cmd = "*" default: panic(errors.AssertionFailedf("unexpected policy command: %s", policy.Command.String()))
nit: this function returns an error, so maybe just return the errors.AssertionFailedf instead of panic'ing.
pkg/sql/pg_catalog.go line 4287 at r1 (raw file):
// get the using expression usingExpr := "" if len(policy.UsingExpr) != 0 {
In postgres, if the using expression isn't defined then polqual is null. Same with polwithcheck. So, I think we should fill in a null value if those expressions are missing.
pkg/sql/pg_catalog.go line 4310 at r1 (raw file):
if err := addRow( tree.NewDOid(oid.Oid(policy.ID)), // oid
The policyID is not strictly an oid. We should leave a comment to clarify this.
Previously the
pg_policytable was unimplemented. With these code changes the table is now populated accordingly, like its postgres equivalent:https://www.postgresql.org/docs/17/catalog-pg-policy.htmlEpic: CRDB-45205
Fixes: #136702
Release note: None