2 * rewrite/rowsecurity.c
3 * Routines to support policies for row level security (aka RLS).
5 * Policies in PostgreSQL provide a mechanism to limit what records are
6 * returned to a user and what records a user is permitted to add to a table.
8 * Policies can be defined for specific roles, specific commands, or provided
9 * by an extension. Row security can also be enabled for a table without any
10 * policies being explicitly defined, in which case a default-deny policy is
13 * Any part of the system which is returning records back to the user, or
14 * which is accepting records from the user to add to a table, needs to
15 * consider the policies associated with the table (if any). For normal
16 * queries, this is handled by calling get_row_security_policies() during
17 * rewrite, for each RTE in the query. This returns the expressions defined
18 * by the table's policies as a list that is prepended to the securityQuals
19 * list for the RTE. For queries which modify the table, any WITH CHECK
20 * clauses from the table's policies are also returned and prepended to the
21 * list of WithCheckOptions for the Query to check each row that is being
22 * added to the table. Other parts of the system (eg: COPY) simply construct
23 * a normal query and use that, if RLS is to be applied.
25 * The check to see if RLS should be enabled is provided through
26 * check_enable_rls(), which returns an enum (defined in rowsecurity.h) to
27 * indicate if RLS should be enabled (RLS_ENABLED), or bypassed (RLS_NONE or
28 * RLS_NONE_ENV). RLS_NONE_ENV indicates that RLS should be bypassed
29 * in the current environment, but that may change if the row_security GUC or
30 * the current role changes.
32 * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
33 * Portions Copyright (c) 1994, Regents of the University of California
37 #include "access/heapam.h"
38 #include "access/htup_details.h"
39 #include "access/sysattr.h"
40 #include "catalog/pg_class.h"
41 #include "catalog/pg_inherits_fn.h"
42 #include "catalog/pg_policy.h"
43 #include "catalog/pg_type.h"
44 #include "miscadmin.h"
45 #include "nodes/makefuncs.h"
46 #include "nodes/nodeFuncs.h"
47 #include "nodes/pg_list.h"
48 #include "nodes/plannodes.h"
49 #include "parser/parsetree.h"
50 #include "rewrite/rewriteHandler.h"
51 #include "rewrite/rewriteManip.h"
52 #include "rewrite/rowsecurity.h"
53 #include "utils/acl.h"
54 #include "utils/lsyscache.h"
55 #include "utils/rel.h"
56 #include "utils/rls.h"
57 #include "utils/syscache.h"
58 #include "tcop/utility.h"
60 static void get_policies_for_relation(Relation relation,
61 CmdType cmd, Oid user_id,
62 List **permissive_policies,
63 List **restrictive_policies);
65 static List *sort_policies_by_name(List *policies);
67 static int row_security_policy_cmp(const void *a, const void *b);
69 static void add_security_quals(int rt_index,
70 List *permissive_policies,
71 List *restrictive_policies,
75 static void add_with_check_options(Relation rel,
78 List *permissive_policies,
79 List *restrictive_policies,
80 List **withCheckOptions,
83 static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
86 * hooks to allow extensions to add their own security policies
88 * row_security_policy_hook_permissive can be used to add policies which
89 * are combined with the other permissive policies, using OR.
91 * row_security_policy_hook_restrictive can be used to add policies which
92 * are enforced, regardless of other policies (they are combined using AND).
94 row_security_policy_hook_type row_security_policy_hook_permissive = NULL;
95 row_security_policy_hook_type row_security_policy_hook_restrictive = NULL;
98 * Get any row security quals and WithCheckOption checks that should be
99 * applied to the specified RTE.
101 * In addition, hasRowSecurity is set to true if row level security is enabled
102 * (even if this RTE doesn't have any row security quals), and hasSubLinks is
103 * set to true if any of the quals returned contain sublinks.
106 get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index,
107 List **securityQuals, List **withCheckOptions,
108 bool *hasRowSecurity, bool *hasSubLinks)
114 List *permissive_policies;
115 List *restrictive_policies;
117 /* Defaults for the return values */
118 *securityQuals = NIL;
119 *withCheckOptions = NIL;
120 *hasRowSecurity = false;
121 *hasSubLinks = false;
123 /* If this is not a normal relation, just return immediately */
124 if (rte->relkind != RELKIND_RELATION &&
125 rte->relkind != RELKIND_PARTITIONED_TABLE)
128 /* Switch to checkAsUser if it's set */
129 user_id = rte->checkAsUser ? rte->checkAsUser : GetUserId();
131 /* Determine the state of RLS for this, pass checkAsUser explicitly */
132 rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false);
134 /* If there is no RLS on this table at all, nothing to do */
135 if (rls_status == RLS_NONE)
139 * RLS_NONE_ENV means we are not doing any RLS now, but that may change
140 * with changes to the environment, so we mark it as hasRowSecurity to
141 * force a re-plan when the environment changes.
143 if (rls_status == RLS_NONE_ENV)
146 * Indicate that this query may involve RLS and must therefore be
147 * replanned if the environment changes (GUCs, role), but we are not
148 * adding anything here.
150 *hasRowSecurity = true;
156 * RLS is enabled for this relation.
158 * Get the security policies that should be applied, based on the command
159 * type. Note that if this isn't the target relation, we actually want
160 * the relation's SELECT policies, regardless of the query command type,
161 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
162 * policies and t2's SELECT policies.
164 rel = heap_open(rte->relid, NoLock);
166 commandType = rt_index == root->resultRelation ?
167 root->commandType : CMD_SELECT;
170 * In some cases, we need to apply USING policies (which control the
171 * visibility of records) associated with multiple command types (see
172 * specific cases below).
174 * When considering the order in which to apply these USING policies, we
175 * prefer to apply higher privileged policies, those which allow the user
176 * to lock records (UPDATE and DELETE), first, followed by policies which
179 * Note that the optimizer is free to push down and reorder quals which
180 * use leakproof functions.
182 * In all cases, if there are no policy clauses allowing access to rows in
183 * the table for the specific type of operation, then a single
184 * always-false clause (a default-deny policy) will be added (see
185 * add_security_quals).
189 * For a SELECT, if UPDATE privileges are required (eg: the user has
190 * specified FOR [KEY] UPDATE/SHARE), then add the UPDATE USING quals
193 * This way, we filter out any records from the SELECT FOR SHARE/UPDATE
194 * which the user does not have access to via the UPDATE USING policies,
195 * similar to how we require normal UPDATE rights for these queries.
197 if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE)
199 List *update_permissive_policies;
200 List *update_restrictive_policies;
202 get_policies_for_relation(rel, CMD_UPDATE, user_id,
203 &update_permissive_policies,
204 &update_restrictive_policies);
206 add_security_quals(rt_index,
207 update_permissive_policies,
208 update_restrictive_policies,
214 * For SELECT, UPDATE and DELETE, add security quals to enforce the USING
215 * policies. These security quals control access to existing table rows.
216 * Restrictive policies are combined together using AND, and permissive
217 * policies are combined together using OR.
220 get_policies_for_relation(rel, commandType, user_id, &permissive_policies,
221 &restrictive_policies);
223 if (commandType == CMD_SELECT ||
224 commandType == CMD_UPDATE ||
225 commandType == CMD_DELETE)
226 add_security_quals(rt_index,
228 restrictive_policies,
233 * Similar to above, during an UPDATE or DELETE, if SELECT rights are also
234 * required (eg: when a RETURNING clause exists, or the user has provided
235 * a WHERE clause which involves columns from the relation), we collect up
236 * CMD_SELECT policies and add them via add_security_quals first.
238 * This way, we filter out any records which are not visible through an
239 * ALL or SELECT USING policy.
241 if ((commandType == CMD_UPDATE || commandType == CMD_DELETE) &&
242 rte->requiredPerms & ACL_SELECT)
244 List *select_permissive_policies;
245 List *select_restrictive_policies;
247 get_policies_for_relation(rel, CMD_SELECT, user_id,
248 &select_permissive_policies,
249 &select_restrictive_policies);
251 add_security_quals(rt_index,
252 select_permissive_policies,
253 select_restrictive_policies,
259 * For INSERT and UPDATE, add withCheckOptions to verify that any new
260 * records added are consistent with the security policies. This will use
261 * each policy's WITH CHECK clause, or its USING clause if no explicit
262 * WITH CHECK clause is defined.
264 if (commandType == CMD_INSERT || commandType == CMD_UPDATE)
266 /* This should be the target relation */
267 Assert(rt_index == root->resultRelation);
269 add_with_check_options(rel, rt_index,
270 commandType == CMD_INSERT ?
271 WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
273 restrictive_policies,
278 * Get and add ALL/SELECT policies, if SELECT rights are required for
279 * this relation (eg: when RETURNING is used). These are added as WCO
280 * policies rather than security quals to ensure that an error is
281 * raised if a policy is violated; otherwise, we might end up silently
282 * dropping rows to be added.
284 if (rte->requiredPerms & ACL_SELECT)
286 List *select_permissive_policies = NIL;
287 List *select_restrictive_policies = NIL;
289 get_policies_for_relation(rel, CMD_SELECT, user_id,
290 &select_permissive_policies,
291 &select_restrictive_policies);
292 add_with_check_options(rel, rt_index,
293 commandType == CMD_INSERT ?
294 WCO_RLS_INSERT_CHECK : WCO_RLS_UPDATE_CHECK,
295 select_permissive_policies,
296 select_restrictive_policies,
302 * For INSERT ... ON CONFLICT DO UPDATE we need additional policy
303 * checks for the UPDATE which may be applied to the same RTE.
305 if (commandType == CMD_INSERT &&
306 root->onConflict && root->onConflict->action == ONCONFLICT_UPDATE)
308 List *conflict_permissive_policies;
309 List *conflict_restrictive_policies;
311 /* Get the policies that apply to the auxiliary UPDATE */
312 get_policies_for_relation(rel, CMD_UPDATE, user_id,
313 &conflict_permissive_policies,
314 &conflict_restrictive_policies);
317 * Enforce the USING clauses of the UPDATE policies using WCOs
318 * rather than security quals. This ensures that an error is
319 * raised if the conflicting row cannot be updated due to RLS,
320 * rather than the change being silently dropped.
322 add_with_check_options(rel, rt_index,
323 WCO_RLS_CONFLICT_CHECK,
324 conflict_permissive_policies,
325 conflict_restrictive_policies,
330 * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
331 * to ensure they are considered when taking the UPDATE path of an
332 * INSERT .. ON CONFLICT DO UPDATE, if SELECT rights are required
333 * for this relation, also as WCO policies, again, to avoid
334 * silently dropping data. See above.
336 if (rte->requiredPerms & ACL_SELECT)
338 List *conflict_select_permissive_policies = NIL;
339 List *conflict_select_restrictive_policies = NIL;
341 get_policies_for_relation(rel, CMD_SELECT, user_id,
342 &conflict_select_permissive_policies,
343 &conflict_select_restrictive_policies);
344 add_with_check_options(rel, rt_index,
345 WCO_RLS_CONFLICT_CHECK,
346 conflict_select_permissive_policies,
347 conflict_select_restrictive_policies,
352 /* Enforce the WITH CHECK clauses of the UPDATE policies */
353 add_with_check_options(rel, rt_index,
354 WCO_RLS_UPDATE_CHECK,
355 conflict_permissive_policies,
356 conflict_restrictive_policies,
362 heap_close(rel, NoLock);
365 * Mark this query as having row security, so plancache can invalidate it
366 * when necessary (eg: role changes)
368 *hasRowSecurity = true;
374 * get_policies_for_relation
376 * Returns lists of permissive and restrictive policies to be applied to the
377 * specified relation, based on the command type and role.
379 * This includes any policies added by extensions.
382 get_policies_for_relation(Relation relation, CmdType cmd, Oid user_id,
383 List **permissive_policies,
384 List **restrictive_policies)
388 *permissive_policies = NIL;
389 *restrictive_policies = NIL;
392 * First find all internal policies for the relation. CREATE POLICY does
393 * not currently support defining restrictive policies, so for now all
394 * internal policies are permissive.
396 foreach(item, relation->rd_rsdesc->policies)
398 bool cmd_matches = false;
399 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
401 /* Always add ALL policies, if they exist. */
402 if (policy->polcmd == '*')
406 /* Check whether the policy applies to the specified command type */
410 if (policy->polcmd == ACL_SELECT_CHR)
414 if (policy->polcmd == ACL_INSERT_CHR)
418 if (policy->polcmd == ACL_UPDATE_CHR)
422 if (policy->polcmd == ACL_DELETE_CHR)
426 elog(ERROR, "unrecognized policy command type %d",
433 * Add this policy to the list of permissive policies if it applies to
434 * the specified role.
436 if (cmd_matches && check_role_for_policy(policy->roles, user_id))
438 if (policy->permissive)
439 *permissive_policies = lappend(*permissive_policies, policy);
441 *restrictive_policies = lappend(*restrictive_policies, policy);
446 * We sort restrictive policies by name so that any WCOs they generate are
447 * checked in a well-defined order.
449 *restrictive_policies = sort_policies_by_name(*restrictive_policies);
452 * Then add any permissive or restrictive policies defined by extensions.
453 * These are simply appended to the lists of internal policies, if they
454 * apply to the specified role.
456 if (row_security_policy_hook_restrictive)
458 List *hook_policies =
459 (*row_security_policy_hook_restrictive) (cmd, relation);
462 * As with built-in restrictive policies, we sort any hook-provided
463 * restrictive policies by name also. Note that we also intentionally
464 * always check all built-in restrictive policies, in name order,
465 * before checking restrictive policies added by hooks, in name order.
467 hook_policies = sort_policies_by_name(hook_policies);
469 foreach(item, hook_policies)
471 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
473 if (check_role_for_policy(policy->roles, user_id))
474 *restrictive_policies = lappend(*restrictive_policies, policy);
478 if (row_security_policy_hook_permissive)
480 List *hook_policies =
481 (*row_security_policy_hook_permissive) (cmd, relation);
483 foreach(item, hook_policies)
485 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
487 if (check_role_for_policy(policy->roles, user_id))
488 *permissive_policies = lappend(*permissive_policies, policy);
494 * sort_policies_by_name
496 * This is only used for restrictive policies, ensuring that any
497 * WithCheckOptions they generate are applied in a well-defined order.
498 * This is not necessary for permissive policies, since they are all combined
499 * together using OR into a single WithCheckOption check.
502 sort_policies_by_name(List *policies)
504 int npol = list_length(policies);
505 RowSecurityPolicy *pols;
512 pols = (RowSecurityPolicy *) palloc(sizeof(RowSecurityPolicy) * npol);
514 foreach(item, policies)
516 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
518 pols[ii++] = *policy;
521 qsort(pols, npol, sizeof(RowSecurityPolicy), row_security_policy_cmp);
524 for (ii = 0; ii < npol; ii++)
525 policies = lappend(policies, &pols[ii]);
531 * qsort comparator to sort RowSecurityPolicy entries by name
534 row_security_policy_cmp(const void *a, const void *b)
536 const RowSecurityPolicy *pa = (const RowSecurityPolicy *) a;
537 const RowSecurityPolicy *pb = (const RowSecurityPolicy *) b;
539 /* Guard against NULL policy names from extensions */
540 if (pa->policy_name == NULL)
541 return pb->policy_name == NULL ? 0 : 1;
542 if (pb->policy_name == NULL)
545 return strcmp(pa->policy_name, pb->policy_name);
551 * Add security quals to enforce the specified RLS policies, restricting
552 * access to existing data in a table. If there are no policies controlling
553 * access to the table, then all access is prohibited --- i.e., an implicit
554 * default-deny policy is used.
556 * New security quals are added to securityQuals, and hasSubLinks is set to
557 * true if any of the quals added contain sublink subqueries.
560 add_security_quals(int rt_index,
561 List *permissive_policies,
562 List *restrictive_policies,
563 List **securityQuals,
567 List *permissive_quals = NIL;
571 * First collect up the permissive quals. If we do not find any
572 * permissive policies then no rows are visible (this is handled below).
574 foreach(item, permissive_policies)
576 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
578 if (policy->qual != NULL)
580 permissive_quals = lappend(permissive_quals,
581 copyObject(policy->qual));
582 *hasSubLinks |= policy->hassublinks;
587 * We must have permissive quals, always, or no rows are visible.
589 * If we do not, then we simply return a single 'false' qual which results
590 * in no rows being visible.
592 if (permissive_quals != NIL)
595 * We now know that permissive policies exist, so we can now add
596 * security quals based on the USING clauses from the restrictive
597 * policies. Since these need to be combined together using AND, we
598 * can just add them one at a time.
600 foreach(item, restrictive_policies)
602 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
605 if (policy->qual != NULL)
607 qual = copyObject(policy->qual);
608 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
610 *securityQuals = list_append_unique(*securityQuals, qual);
611 *hasSubLinks |= policy->hassublinks;
616 * Then add a single security qual combining together the USING
617 * clauses from all the permissive policies using OR.
619 if (list_length(permissive_quals) == 1)
620 rowsec_expr = (Expr *) linitial(permissive_quals);
622 rowsec_expr = makeBoolExpr(OR_EXPR, permissive_quals, -1);
624 ChangeVarNodes((Node *) rowsec_expr, 1, rt_index, 0);
625 *securityQuals = list_append_unique(*securityQuals, rowsec_expr);
630 * A permissive policy must exist for rows to be visible at all.
631 * Therefore, if there were no permissive policies found, return a
632 * single always-false clause.
634 *securityQuals = lappend(*securityQuals,
635 makeConst(BOOLOID, -1, InvalidOid,
636 sizeof(bool), BoolGetDatum(false),
641 * add_with_check_options
643 * Add WithCheckOptions of the specified kind to check that new records
644 * added by an INSERT or UPDATE are consistent with the specified RLS
645 * policies. Normally new data must satisfy the WITH CHECK clauses from the
646 * policies. If a policy has no explicit WITH CHECK clause, its USING clause
647 * is used instead. In the special case of an UPDATE arising from an
648 * INSERT ... ON CONFLICT DO UPDATE, existing records are first checked using
649 * a WCO_RLS_CONFLICT_CHECK WithCheckOption, which always uses the USING
650 * clauses from RLS policies.
652 * New WCOs are added to withCheckOptions, and hasSubLinks is set to true if
653 * any of the check clauses added contain sublink subqueries.
656 add_with_check_options(Relation rel,
659 List *permissive_policies,
660 List *restrictive_policies,
661 List **withCheckOptions,
665 List *permissive_quals = NIL;
667 #define QUAL_FOR_WCO(policy) \
668 ( kind != WCO_RLS_CONFLICT_CHECK && \
669 (policy)->with_check_qual != NULL ? \
670 (policy)->with_check_qual : (policy)->qual )
673 * First collect up the permissive policy clauses, similar to
674 * add_security_quals.
676 foreach(item, permissive_policies)
678 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
679 Expr *qual = QUAL_FOR_WCO(policy);
683 permissive_quals = lappend(permissive_quals, copyObject(qual));
684 *hasSubLinks |= policy->hassublinks;
689 * There must be at least one permissive qual found or no rows are allowed
690 * to be added. This is the same as in add_security_quals.
692 * If there are no permissive_quals then we fall through and return a
693 * single 'false' WCO, preventing all new rows.
695 if (permissive_quals != NIL)
698 * Add a single WithCheckOption for all the permissive policy clauses,
699 * combining them together using OR. This check has no policy name,
700 * since if the check fails it means that no policy granted permission
701 * to perform the update, rather than any particular policy being
704 WithCheckOption *wco;
706 wco = makeNode(WithCheckOption);
708 wco->relname = pstrdup(RelationGetRelationName(rel));
710 wco->cascaded = false;
712 if (list_length(permissive_quals) == 1)
713 wco->qual = (Node *) linitial(permissive_quals);
715 wco->qual = (Node *) makeBoolExpr(OR_EXPR, permissive_quals, -1);
717 ChangeVarNodes(wco->qual, 1, rt_index, 0);
719 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
722 * Now add WithCheckOptions for each of the restrictive policy clauses
723 * (which will be combined together using AND). We use a separate
724 * WithCheckOption for each restrictive policy to allow the policy
725 * name to be included in error reports if the policy is violated.
727 foreach(item, restrictive_policies)
729 RowSecurityPolicy *policy = (RowSecurityPolicy *) lfirst(item);
730 Expr *qual = QUAL_FOR_WCO(policy);
731 WithCheckOption *wco;
735 qual = copyObject(qual);
736 ChangeVarNodes((Node *) qual, 1, rt_index, 0);
738 wco = makeNode(WithCheckOption);
740 wco->relname = pstrdup(RelationGetRelationName(rel));
741 wco->polname = pstrdup(policy->policy_name);
742 wco->qual = (Node *) qual;
743 wco->cascaded = false;
745 *withCheckOptions = list_append_unique(*withCheckOptions, wco);
746 *hasSubLinks |= policy->hassublinks;
753 * If there were no policy clauses to check new data, add a single
754 * always-false WCO (a default-deny policy).
756 WithCheckOption *wco;
758 wco = makeNode(WithCheckOption);
760 wco->relname = pstrdup(RelationGetRelationName(rel));
762 wco->qual = (Node *) makeConst(BOOLOID, -1, InvalidOid,
763 sizeof(bool), BoolGetDatum(false),
765 wco->cascaded = false;
767 *withCheckOptions = lappend(*withCheckOptions, wco);
772 * check_role_for_policy -
773 * determines if the policy should be applied for the current role
776 check_role_for_policy(ArrayType *policy_roles, Oid user_id)
779 Oid *roles = (Oid *) ARR_DATA_PTR(policy_roles);
781 /* Quick fall-thru for policies applied to all roles */
782 if (roles[0] == ACL_ID_PUBLIC)
785 for (i = 0; i < ARR_DIMS(policy_roles)[0]; i++)
787 if (has_privs_of_role(user_id, roles[i]))