From 51e9df7a1005fc7748c71cd359431f2a41ea678d Mon Sep 17 00:00:00 2001
From: Joe Conway <mail@joeconway.com>
Date: Thu, 22 Dec 2016 17:57:01 -0800
Subject: [PATCH] Improve RLS documentation with respect to COPY

Documentation for pg_restore said COPY TO does not support row security
when in fact it should say COPY FROM. Fix that.

While at it, make it clear that "COPY FROM" does not allow RLS to be
enabled and INSERT should be used instead. Also that SELECT policies
will apply to COPY TO statements.

Back-patch to 9.5 where RLS first appeared.

Author: Joe Conway
Reviewed-By: Dean Rasheed and Robert Haas
Discussion: https://postgr.es/m/5744FA24.3030008%40joeconway.com
---
 doc/src/sgml/ref/copy.sgml       | 9 +++++++++
 doc/src/sgml/ref/pg_dump.sgml    | 5 +++++
 doc/src/sgml/ref/pg_restore.sgml | 2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/ref/copy.sgml b/doc/src/sgml/ref/copy.sgml
index 07e2f45196..8ad547272f 100644
--- a/doc/src/sgml/ref/copy.sgml
+++ b/doc/src/sgml/ref/copy.sgml
@@ -418,6 +418,15 @@ COPY <replaceable class="parameter">count</replaceable>
     to have column privileges on the column(s) listed in the command.
    </para>
 
+   <para>
+    If row-level security is enabled for the table, the relevant 
+    <command>SELECT</command> policies will apply to <literal>COPY
+    <replaceable class="parameter">table</> TO</literal> statements.
+    Currently, <command>COPY FROM</command> is not supported for tables
+    with row-level security. Use equivalent <command>INSERT</command>
+    statements instead.
+   </para>
+
    <para>
     Files named in a <command>COPY</command> command are read or written
     directly by the server, not by the client application. Therefore,
diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
index f1e60bb51b..038a376f4a 100644
--- a/doc/src/sgml/ref/pg_dump.sgml
+++ b/doc/src/sgml/ref/pg_dump.sgml
@@ -702,6 +702,11 @@ PostgreSQL documentation
         to dump the parts of the contents of the table that they have access to.
        </para>
 
+       <para>
+        Note that if you use this option currently, you probably also want
+        the dump be in <command>INSERT</command> format, as the
+        <command>COPY FROM</command> during restore does not support row security.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml
index c9069193af..ef5bab40d1 100644
--- a/doc/src/sgml/ref/pg_restore.sgml
+++ b/doc/src/sgml/ref/pg_restore.sgml
@@ -527,7 +527,7 @@
 
        <para>
         Note that this option currently also requires the dump be in <command>INSERT</command>
-        format, as <command>COPY TO</command> does not support row security.
+        format, as <command>COPY FROM</command> does not support row security.
        </para>
       </listitem>
      </varlistentry>
-- 
2.40.0