Aggregate/Window functions restriction in Postgres

2019-08-06 18:10发布

站内问答 / 前沿技术
1431 1 4

I've been successfully able to use a dense_rank() over (order by...) which AFAIK is a window function - in postgres' row level security policy conditions.

However, the documentation states

Any SQL conditional expression (returning boolean). The conditional expression cannot contain any aggregate or window functions

(emphasis is mine).

Can someone explain this restriction and give an example where it applies?

Thanks.

1条回答
趁早两清
2楼-- · 2019-08-06 18:41

Basically, it tells you that each row is independent in regard of row-level security.

Consider the table below:

+---------------------+----------------+
| field1              | field2         |
+---------------------+----------------+
| value1              | 1              |
| value1              | 2              |
| value1              | 3              |
| value2              | 4              |
+---------------------+----------------+

There are several (permissive) policies:

  1. field1 = 'value1'
  2. field1 = 'value2'
  3. SUM(field2)> 10 (forbidden but let us imagine for now that you could define it)

You were granted policies #2 and 3 so you can see and update the last record only.
... Until you execute UPDATE table SET value2 = 11.

This is really bad in terms of:

  • Security. You can "grant yourself" access to records, as a user (not as an admin).
  • Maintenance. Records would keep appearing/disappearing randomly in such database.
  • Performance. Such policy would have a very big cost to evaluate.

Interstingly, you can define policies as MyField IN (SELECT MyOtherField FROM MyOtherTable), in which case it all relies on what you defined on MyOtherTable (it is intended to be used with FK/PK).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)