One might forget to enable it, so I'd rather explicitly disable it for tables that don't need it.
2
-
But where's the question you're asking?tambre– tambre2016-05-01 08:52:39 +00:00Commented May 1, 2016 at 8:52
-
I'll rephrase: how to enable row level security by default?Jan Sommer– Jan Sommer2016-05-01 10:28:52 +00:00Commented May 1, 2016 at 10:28
Add a comment
|
2 Answers
Row level security can not be enabled or disabled by default. You have to ALTER TABLE ... ENABLE ROW LEVEL SECURITY. However, I don't see how you can forget it as a table is only accessible by its owner initially. If you then create a row security policy with CREATE POLICY you will still not have access so you'll know you did something wrong.
You can ask yourself why you have to ALTER TABLE ... ENABLE ROW LEVEL SECURITY to begin with, but that is a question for the postgresql-devel mailing list, not for SO.
1 Comment
Jan Sommer
Alright. I think it's there because of performance reasons.
COPY commands are transformed into normal INSERTs when row level security is enabled. I'm sure there are other reasons. The fact that it's not enabled by default is a problem when I create a policy and GRANT access to a role. If I haven't run ENABLE ROW SECURITY, then the policy won't be applied.I think you can probably enable it by default by creating an event trigger.
I haven't tried this but this should be enough to get you started.
In this case you effectively have a function which runs after any CREATE TABLE and enables row level security.
The PostgreSQL docs for PostgreSQL 9.5 are at http://www.postgresql.org/docs/9.5/static/functions-event-triggers.html for functions you can use to get the table info. This looks feasible.
