On 8 January 2015 at 08:30, Dean Rasheed <[email protected]> wrote:
> I have a wider concern about the wording on this page - both the
> rewritten paragraph and elsewhere talk about policies in terms of
> limiting access to or filtering out rows.
>
> However, since policy expressions are OR'ed together and there is a
> default-deny policy when RLS is enabled, I think it should be talking
> about policies in terms of permitting access to tables that have row
> security enabled.
>
[There's also a typo further down -- "filter out the records which are
visible", should be "not visible"]
What do you think of the attached rewording?
Regards,
Dean
diff --git a/doc/src/sgml/ref/create_policy.sgml b/doc/src/sgml/ref/create_policy.sgml
new file mode 100644
index 8ef8556..066aa76
*** a/doc/src/sgml/ref/create_policy.sgml
--- b/doc/src/sgml/ref/create_policy.sgml
*************** CREATE POLICY <replaceable class="parame
*** 39,56 ****
</para>
<para>
! A policy limits the ability to SELECT, INSERT, UPDATE, or DELETE rows
! in a table to those rows which match the relevant policy expression.
! Existing table rows are checked against the expression specified via
! USING, while new rows that would be created via INSERT or UPDATE are
! checked against the expression specified via WITH CHECK. Generally,
! the system will enforce filter conditions imposed using security
! policies prior to qualifications that appear in the query itself, in
! order to the prevent the inadvertent exposure of the protected data to
! user-defined functions which might not be trustworthy. However,
! functions and operators marked by the system (or the system
! administrator) as LEAKPROOF may be evaluated before policy
! expressions, as they are assumed to be trustworthy.
</para>
<para>
--- 39,56 ----
</para>
<para>
! A policy permits SELECT, INSERT, UPDATE or DELETE commands to access rows
! in a table that has row level security enabled. Access to existing table
! rows is granted if they match a policy expression specified via USING,
! while new rows that would be created via INSERT or UPDATE are checked
! against policy expressions specified via WITH CHECK. For policy
! expressions specified via USING which grant access to existing rows, the
! system will generally test the policy expressions prior to any
! qualifications that appear in the query itself, in order to the prevent the
! inadvertent exposure of the protected data to user-defined functions which
! might not be trustworthy. However, functions and operators marked by the
! system (or the system administrator) as LEAKPROOF may be evaluated before
! policy expressions, as they are assumed to be trustworthy.
</para>
<para>
*************** CREATE POLICY <replaceable class="parame
*** 154,160 ****
Any <acronym>SQL</acronym> conditional expression (returning
<type>boolean</type>). The conditional expression cannot contain
any aggregate or window functions. This expression will be added
! to queries to filter out the records which are visible to the query.
</para>
</listitem>
</varlistentry>
--- 154,161 ----
Any <acronym>SQL</acronym> conditional expression (returning
<type>boolean</type>). The conditional expression cannot contain
any aggregate or window functions. This expression will be added
! to queries that refer to the table if row level security is enabled,
! and will allow access to rows matching the expression.
</para>
</listitem>
</varlistentry>
*************** CREATE POLICY <replaceable class="parame
*** 164,174 ****
<listitem>
<para>
Any <acronym>SQL</acronym> conditional expression (returning
! <type>boolean</type>). The condition expression cannot contain
! any aggregate or window functions. This expression will be added
! to queries which are attempting to add records to the table as
! with-check options, and an error will be thrown if this condition
! returns false for any records being added.
</para>
</listitem>
</varlistentry>
--- 165,176 ----
<listitem>
<para>
Any <acronym>SQL</acronym> conditional expression (returning
! <type>boolean</type>). The conditional expression cannot contain
! any aggregate or window functions. This expression will be used in
! <command>INSERT</command> and <command>UPDATE</command> queries on
! the table if row level security is enabled, and an error will be thrown
! if the expression evaluates to false for any of the new records added or
! updated.
</para>
</listitem>
</varlistentry>
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
