summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/man7/CREATE_POLICY.7
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 12:15:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 12:15:05 +0000
commit46651ce6fe013220ed397add242004d764fc0153 (patch)
tree6e5299f990f88e60174a1d3ae6e48eedd2688b2b /doc/src/sgml/man7/CREATE_POLICY.7
parentInitial commit. (diff)
downloadpostgresql-14-upstream.tar.xz
postgresql-14-upstream.zip
Adding upstream version 14.5.upstream/14.5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/src/sgml/man7/CREATE_POLICY.7')
-rw-r--r--doc/src/sgml/man7/CREATE_POLICY.7635
1 files changed, 635 insertions, 0 deletions
diff --git a/doc/src/sgml/man7/CREATE_POLICY.7 b/doc/src/sgml/man7/CREATE_POLICY.7
new file mode 100644
index 0000000..8b94e1a
--- /dev/null
+++ b/doc/src/sgml/man7/CREATE_POLICY.7
@@ -0,0 +1,635 @@
+'\" t
+.\" Title: CREATE POLICY
+.\" Author: The PostgreSQL Global Development Group
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Date: 2022
+.\" Manual: PostgreSQL 14.5 Documentation
+.\" Source: PostgreSQL 14.5
+.\" Language: English
+.\"
+.TH "CREATE POLICY" "7" "2022" "PostgreSQL 14.5" "PostgreSQL 14.5 Documentation"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+CREATE_POLICY \- define a new row\-level security policy for a table
+.SH "SYNOPSIS"
+.sp
+.nf
+CREATE POLICY \fIname\fR ON \fItable_name\fR
+ [ AS { PERMISSIVE | RESTRICTIVE } ]
+ [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
+ [ TO { \fIrole_name\fR | PUBLIC | CURRENT_ROLE | CURRENT_USER | SESSION_USER } [, \&.\&.\&.] ]
+ [ USING ( \fIusing_expression\fR ) ]
+ [ WITH CHECK ( \fIcheck_expression\fR ) ]
+.fi
+.SH "DESCRIPTION"
+.PP
+The
+\fBCREATE POLICY\fR
+command defines a new row\-level security policy for a table\&. Note that row\-level security must be enabled on the table (using
+\fBALTER TABLE \&.\&.\&. ENABLE ROW LEVEL SECURITY\fR) in order for created policies to be applied\&.
+.PP
+A policy grants the permission to select, insert, update, or delete rows that match the relevant policy expression\&. Existing table rows are checked against the expression specified in
+USING, while new rows that would be created via
+INSERT
+or
+UPDATE
+are checked against the expression specified in
+WITH CHECK\&. When a
+USING
+expression returns true for a given row then that row is visible to the user, while if false or null is returned then the row is not visible\&. When a
+WITH CHECK
+expression returns true for a row then that row is inserted or updated, while if false or null is returned then an error occurs\&.
+.PP
+For
+\fBINSERT\fR
+and
+\fBUPDATE\fR
+statements,
+WITH CHECK
+expressions are enforced after
+BEFORE
+triggers are fired, and before any actual data modifications are made\&. Thus a
+BEFORE ROW
+trigger may modify the data to be inserted, affecting the result of the security policy check\&.
+WITH CHECK
+expressions are enforced before any other constraints\&.
+.PP
+Policy names are per\-table\&. Therefore, one policy name can be used for many different tables and have a definition for each table which is appropriate to that table\&.
+.PP
+Policies can be applied for specific commands or for specific roles\&. The default for newly created policies is that they apply for all commands and roles, unless otherwise specified\&. Multiple policies may apply to a single command; see below for more details\&.
+Table\ \&281
+summarizes how the different types of policy apply to specific commands\&.
+.PP
+For policies that can have both
+USING
+and
+WITH CHECK
+expressions (ALL
+and
+UPDATE), if no
+WITH CHECK
+expression is defined, then the
+USING
+expression will be used both to determine which rows are visible (normal
+USING
+case) and which new rows will be allowed to be added (WITH CHECK
+case)\&.
+.PP
+If row\-level security is enabled for a table, but no applicable policies exist, a
+\(lqdefault deny\(rq
+policy is assumed, so that no rows will be visible or updatable\&.
+.SH "PARAMETERS"
+.PP
+\fIname\fR
+.RS 4
+The name of the policy to be created\&. This must be distinct from the name of any other policy for the table\&.
+.RE
+.PP
+\fItable_name\fR
+.RS 4
+The name (optionally schema\-qualified) of the table the policy applies to\&.
+.RE
+.PP
+PERMISSIVE
+.RS 4
+Specify that the policy is to be created as a permissive policy\&. All permissive policies which are applicable to a given query will be combined together using the Boolean
+\(lqOR\(rq
+operator\&. By creating permissive policies, administrators can add to the set of records which can be accessed\&. Policies are permissive by default\&.
+.RE
+.PP
+RESTRICTIVE
+.RS 4
+Specify that the policy is to be created as a restrictive policy\&. All restrictive policies which are applicable to a given query will be combined together using the Boolean
+\(lqAND\(rq
+operator\&. By creating restrictive policies, administrators can reduce the set of records which can be accessed as all restrictive policies must be passed for each record\&.
+.sp
+Note that there needs to be at least one permissive policy to grant access to records before restrictive policies can be usefully used to reduce that access\&. If only restrictive policies exist, then no records will be accessible\&. When a mix of permissive and restrictive policies are present, a record is only accessible if at least one of the permissive policies passes, in addition to all the restrictive policies\&.
+.RE
+.PP
+\fIcommand\fR
+.RS 4
+The command to which the policy applies\&. Valid options are
+\fBALL\fR,
+\fBSELECT\fR,
+\fBINSERT\fR,
+\fBUPDATE\fR, and
+\fBDELETE\fR\&.
+\fBALL\fR
+is the default\&. See below for specifics regarding how these are applied\&.
+.RE
+.PP
+\fIrole_name\fR
+.RS 4
+The role(s) to which the policy is to be applied\&. The default is
+PUBLIC, which will apply the policy to all roles\&.
+.RE
+.PP
+\fIusing_expression\fR
+.RS 4
+Any
+SQL
+conditional expression (returning
+boolean)\&. The conditional expression cannot contain any aggregate or window functions\&. This expression will be added to queries that refer to the table if row\-level security is enabled\&. Rows for which the expression returns true will be visible\&. Any rows for which the expression returns false or null will not be visible to the user (in a
+\fBSELECT\fR), and will not be available for modification (in an
+\fBUPDATE\fR
+or
+\fBDELETE\fR)\&. Such rows are silently suppressed; no error is reported\&.
+.RE
+.PP
+\fIcheck_expression\fR
+.RS 4
+Any
+SQL
+conditional expression (returning
+boolean)\&. The conditional expression cannot contain any aggregate or window functions\&. This expression will be used in
+\fBINSERT\fR
+and
+\fBUPDATE\fR
+queries against the table if row\-level security is enabled\&. Only rows for which the expression evaluates to true will be allowed\&. An error will be thrown if the expression evaluates to false or null for any of the records inserted or any of the records that result from the update\&. Note that the
+\fIcheck_expression\fR
+is evaluated against the proposed new contents of the row, not the original contents\&.
+.RE
+.SS "Per\-Command Policies"
+.PP
+ALL
+.RS 4
+Using
+ALL
+for a policy means that it will apply to all commands, regardless of the type of command\&. If an
+ALL
+policy exists and more specific policies exist, then both the
+ALL
+policy and the more specific policy (or policies) will be applied\&. Additionally,
+ALL
+policies will be applied to both the selection side of a query and the modification side, using the
+USING
+expression for both cases if only a
+USING
+expression has been defined\&.
+.sp
+As an example, if an
+UPDATE
+is issued, then the
+ALL
+policy will be applicable both to what the
+UPDATE
+will be able to select as rows to be updated (applying the
+USING
+expression), and to the resulting updated rows, to check if they are permitted to be added to the table (applying the
+WITH CHECK
+expression, if defined, and the
+USING
+expression otherwise)\&. If an
+\fBINSERT\fR
+or
+\fBUPDATE\fR
+command attempts to add rows to the table that do not pass the
+ALL
+policy\*(Aqs
+WITH CHECK
+expression, the entire command will be aborted\&.
+.RE
+.PP
+SELECT
+.RS 4
+Using
+SELECT
+for a policy means that it will apply to
+SELECT
+queries and whenever
+SELECT
+permissions are required on the relation the policy is defined for\&. The result is that only those records from the relation that pass the
+SELECT
+policy will be returned during a
+SELECT
+query, and that queries that require
+SELECT
+permissions, such as
+UPDATE, will also only see those records that are allowed by the
+SELECT
+policy\&. A
+SELECT
+policy cannot have a
+WITH CHECK
+expression, as it only applies in cases where records are being retrieved from the relation\&.
+.RE
+.PP
+INSERT
+.RS 4
+Using
+INSERT
+for a policy means that it will apply to
+INSERT
+commands\&. Rows being inserted that do not pass this policy will result in a policy violation error, and the entire
+INSERT
+command will be aborted\&. An
+INSERT
+policy cannot have a
+USING
+expression, as it only applies in cases where records are being added to the relation\&.
+.sp
+Note that
+INSERT
+with
+ON CONFLICT DO UPDATE
+checks
+INSERT
+policies\*(Aq
+WITH CHECK
+expressions only for rows appended to the relation by the
+INSERT
+path\&.
+.RE
+.PP
+UPDATE
+.RS 4
+Using
+UPDATE
+for a policy means that it will apply to
+UPDATE,
+SELECT FOR UPDATE
+and
+SELECT FOR SHARE
+commands, as well as auxiliary
+ON CONFLICT DO UPDATE
+clauses of
+INSERT
+commands\&. Since
+UPDATE
+involves pulling an existing record and replacing it with a new modified record,
+UPDATE
+policies accept both a
+USING
+expression and a
+WITH CHECK
+expression\&. The
+USING
+expression determines which records the
+UPDATE
+command will see to operate against, while the
+WITH CHECK
+expression defines which modified rows are allowed to be stored back into the relation\&.
+.sp
+Any rows whose updated values do not pass the
+WITH CHECK
+expression will cause an error, and the entire command will be aborted\&. If only a
+USING
+clause is specified, then that clause will be used for both
+USING
+and
+WITH CHECK
+cases\&.
+.sp
+Typically an
+UPDATE
+command also needs to read data from columns in the relation being updated (e\&.g\&., in a
+WHERE
+clause or a
+RETURNING
+clause, or in an expression on the right hand side of the
+SET
+clause)\&. In this case,
+SELECT
+rights are also required on the relation being updated, and the appropriate
+SELECT
+or
+ALL
+policies will be applied in addition to the
+UPDATE
+policies\&. Thus the user must have access to the row(s) being updated through a
+SELECT
+or
+ALL
+policy in addition to being granted permission to update the row(s) via an
+UPDATE
+or
+ALL
+policy\&.
+.sp
+When an
+INSERT
+command has an auxiliary
+ON CONFLICT DO UPDATE
+clause, if the
+UPDATE
+path is taken, the row to be updated is first checked against the
+USING
+expressions of any
+UPDATE
+policies, and then the new updated row is checked against the
+WITH CHECK
+expressions\&. Note, however, that unlike a standalone
+UPDATE
+command, if the existing row does not pass the
+USING
+expressions, an error will be thrown (the
+UPDATE
+path will
+\fInever\fR
+be silently avoided)\&.
+.RE
+.PP
+DELETE
+.RS 4
+Using
+DELETE
+for a policy means that it will apply to
+DELETE
+commands\&. Only rows that pass this policy will be seen by a
+DELETE
+command\&. There can be rows that are visible through a
+SELECT
+that are not available for deletion, if they do not pass the
+USING
+expression for the
+DELETE
+policy\&.
+.sp
+In most cases a
+DELETE
+command also needs to read data from columns in the relation that it is deleting from (e\&.g\&., in a
+WHERE
+clause or a
+RETURNING
+clause)\&. In this case,
+SELECT
+rights are also required on the relation, and the appropriate
+SELECT
+or
+ALL
+policies will be applied in addition to the
+DELETE
+policies\&. Thus the user must have access to the row(s) being deleted through a
+SELECT
+or
+ALL
+policy in addition to being granted permission to delete the row(s) via a
+DELETE
+or
+ALL
+policy\&.
+.sp
+A
+DELETE
+policy cannot have a
+WITH CHECK
+expression, as it only applies in cases where records are being deleted from the relation, so that there is no new row to check\&.
+.RE
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.B Table\ \&281.\ \&Policies Applied by Command Type
+.TS
+allbox tab(:);
+lB lB lB lB s lB
+^ lB lB lB lB lB.
+T{
+Command
+T}:T{
+SELECT/ALL policy
+T}:T{
+INSERT/ALL policy
+T}:T{
+UPDATE/ALL policy
+T}:T{
+DELETE/ALL policy
+T}
+:T{
+USING expression
+T}:T{
+WITH CHECK expression
+T}:T{
+USING expression
+T}:T{
+WITH CHECK expression
+T}:T{
+USING expression
+T}
+.T&
+l l l l l l
+l l l l l l
+l l l l l l
+l l l l l l
+l l l l l l
+l l l l l l
+l l l l l l
+l s s s s s.
+T{
+\fBSELECT\fR
+T}:T{
+Existing row
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+\(em
+T}
+T{
+\fBSELECT FOR UPDATE/SHARE\fR
+T}:T{
+Existing row
+T}:T{
+\(em
+T}:T{
+Existing row
+T}:T{
+\(em
+T}:T{
+\(em
+T}
+T{
+\fBINSERT\fR
+T}:T{
+\(em
+T}:T{
+New row
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+\(em
+T}
+T{
+\fBINSERT \&.\&.\&. RETURNING\fR
+T}:T{
+New row [a]
+T}:T{
+New row
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+\(em
+T}
+T{
+\fBUPDATE\fR
+T}:T{
+Existing & new rows [a]
+T}:T{
+\(em
+T}:T{
+Existing row
+T}:T{
+New row
+T}:T{
+\(em
+T}
+T{
+\fBDELETE\fR
+T}:T{
+Existing row [a]
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+\(em
+T}:T{
+Existing row
+T}
+T{
+\fBON CONFLICT DO UPDATE\fR
+T}:T{
+Existing & new rows
+T}:T{
+\(em
+T}:T{
+Existing row
+T}:T{
+New row
+T}:T{
+\(em
+T}
+T{
+----
+.br
+[a]
+If read access is required to the existing or new row (for example, a
+WHERE
+or
+RETURNING
+clause that refers to columns from the relation)\&.
+T}
+.TE
+.sp 1
+.SS "Application of Multiple Policies"
+.PP
+When multiple policies of different command types apply to the same command (for example,
+SELECT
+and
+UPDATE
+policies applied to an
+UPDATE
+command), then the user must have both types of permissions (for example, permission to select rows from the relation as well as permission to update them)\&. Thus the expressions for one type of policy are combined with the expressions for the other type of policy using the
+AND
+operator\&.
+.PP
+When multiple policies of the same command type apply to the same command, then there must be at least one
+PERMISSIVE
+policy granting access to the relation, and all of the
+RESTRICTIVE
+policies must pass\&. Thus all the
+PERMISSIVE
+policy expressions are combined using
+OR, all the
+RESTRICTIVE
+policy expressions are combined using
+AND, and the results are combined using
+AND\&. If there are no
+PERMISSIVE
+policies, then access is denied\&.
+.PP
+Note that, for the purposes of combining multiple policies,
+ALL
+policies are treated as having the same type as whichever other type of policy is being applied\&.
+.PP
+For example, in an
+UPDATE
+command requiring both
+SELECT
+and
+UPDATE
+permissions, if there are multiple applicable policies of each type, they will be combined as follows:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fIexpression\fR from RESTRICTIVE SELECT/ALL policy 1
+AND
+\fIexpression\fR from RESTRICTIVE SELECT/ALL policy 2
+AND
+\&.\&.\&.
+AND
+(
+ \fIexpression\fR from PERMISSIVE SELECT/ALL policy 1
+ OR
+ \fIexpression\fR from PERMISSIVE SELECT/ALL policy 2
+ OR
+ \&.\&.\&.
+)
+AND
+\fIexpression\fR from RESTRICTIVE UPDATE/ALL policy 1
+AND
+\fIexpression\fR from RESTRICTIVE UPDATE/ALL policy 2
+AND
+\&.\&.\&.
+AND
+(
+ \fIexpression\fR from PERMISSIVE UPDATE/ALL policy 1
+ OR
+ \fIexpression\fR from PERMISSIVE UPDATE/ALL policy 2
+ OR
+ \&.\&.\&.
+)
+.fi
+.if n \{\
+.RE
+.\}
+.SH "NOTES"
+.PP
+You must be the owner of a table to create or change policies for it\&.
+.PP
+While policies will be applied for explicit queries against tables in the database, they are not applied when the system is performing internal referential integrity checks or validating constraints\&. This means there are indirect ways to determine that a given value exists\&. An example of this is attempting to insert a duplicate value into a column that is a primary key or has a unique constraint\&. If the insert fails then the user can infer that the value already exists\&. (This example assumes that the user is permitted by policy to insert records which they are not allowed to see\&.) Another example is where a user is allowed to insert into a table which references another, otherwise hidden table\&. Existence can be determined by the user inserting values into the referencing table, where success would indicate that the value exists in the referenced table\&. These issues can be addressed by carefully crafting policies to prevent users from being able to insert, delete, or update records at all which might possibly indicate a value they are not otherwise able to see, or by using generated values (e\&.g\&., surrogate keys) instead of keys with external meanings\&.
+.PP
+Generally, the system will enforce filter conditions imposed using security policies prior to qualifications that appear in user queries, in order to prevent inadvertent exposure of the protected data to user\-defined functions which might not be trustworthy\&. However, functions and operators marked by the system (or the system administrator) as
+LEAKPROOF
+may be evaluated before policy expressions, as they are assumed to be trustworthy\&.
+.PP
+Since policy expressions are added to the user\*(Aqs query directly, they will be run with the rights of the user running the overall query\&. Therefore, users who are using a given policy must be able to access any tables or functions referenced in the expression or they will simply receive a permission denied error when attempting to query the table that has row\-level security enabled\&. This does not change how views work, however\&. As with normal queries and views, permission checks and policies for the tables which are referenced by a view will use the view owner\*(Aqs rights and any policies which apply to the view owner\&.
+.PP
+Additional discussion and practical examples can be found in
+Section\ \&5.8\&.
+.SH "COMPATIBILITY"
+.PP
+\fBCREATE POLICY\fR
+is a
+PostgreSQL
+extension\&.
+.SH "SEE ALSO"
+ALTER POLICY (\fBALTER_POLICY\fR(7)), DROP POLICY (\fBDROP_POLICY\fR(7)), ALTER TABLE (\fBALTER_TABLE\fR(7))