vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/dev/dws_06_0169.html
Lu, Huayi e6fa411af0 DWS DEV 830.201 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2024-05-16 07:24:04 +00:00

267 lines
44 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001188429040"></a><a name="EN-US_TOPIC_0000001188429040"></a>
<h1 class="topictitle1">CREATE ROW LEVEL SECURITY POLICY</h1>
<div id="body1560407392208"><div class="section" id="EN-US_TOPIC_0000001188429040__section196521854173211"><h4 class="sectiontitle">Function</h4><p id="EN-US_TOPIC_0000001188429040__p48721529133312"><strong id="EN-US_TOPIC_0000001188429040__b1028518341089">CREATE ROW LEVEL SECURITY POLICY</strong> creates a row-level access control policy for a table.</p>
<p id="EN-US_TOPIC_0000001188429040__p1479416593558">The policy takes effect only after row-level access control is enabled (by running<strong id="EN-US_TOPIC_0000001188429040__b129951536313"> ALTER TABLE</strong>... <strong id="EN-US_TOPIC_0000001188429040__b586318723112">ENABLE ROW LEVEL SECURITY</strong>).</p>
<p id="EN-US_TOPIC_0000001188429040__p1643314285913">Currently, row-level access control affects the read (<strong id="EN-US_TOPIC_0000001188429040__b2028817617125">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b1089912951216">UPDATE</strong>, <strong id="EN-US_TOPIC_0000001188429040__b188693135129">DELETE</strong>) of data tables and does not affect the write (<strong id="EN-US_TOPIC_0000001188429040__b2741955161210">INSERT</strong> and <strong id="EN-US_TOPIC_0000001188429040__b737282101320">MERGE INTO</strong>) of data tables. The table owner or system administrators can create an expression in the <strong id="EN-US_TOPIC_0000001188429040__b93774397136">USING</strong> clause. When the client reads the data table, the database server combines the expressions that meet the condition and applies it to the execution plan in the statement rewriting phase of a query. For each tuple in a data table, if the expression returns <strong id="EN-US_TOPIC_0000001188429040__b1841663971617">TRUE</strong>, the tuple is visible to the current user; if the expression returns <strong id="EN-US_TOPIC_0000001188429040__b513195751618">FALSE</strong> or <strong id="EN-US_TOPIC_0000001188429040__b8839459151616">NULL</strong>, the tuple is invisible to the current user.</p>
<p id="EN-US_TOPIC_0000001188429040__p559544117276">A row-level access control policy name is specific to a table. A data table cannot have row-level access control policies with the same name. Different data tables can have the same row-level access control policy.</p>
<p id="EN-US_TOPIC_0000001188429040__p18488195263013">Row-level access control policies can be applied to specified operations (<strong id="EN-US_TOPIC_0000001188429040__b134521951111813">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b31061854121815">UPDATE</strong>, <strong id="EN-US_TOPIC_0000001188429040__b17564165610186">DELETE</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b51521259111820">ALL</strong>). <strong id="EN-US_TOPIC_0000001188429040__b182704413190">ALL</strong> indicates that <strong id="EN-US_TOPIC_0000001188429040__b64561410131916">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b144212151918">UPDATE</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b1256919144197">DELETE</strong> will be affected. For a new row-level access control policy, the default value <strong id="EN-US_TOPIC_0000001188429040__b1694915812202">ALL</strong> will be used if you do not specify the operations that will be affected.</p>
<p id="EN-US_TOPIC_0000001188429040__p162715143367">Row-level access control policies can be applied to a specified user (role) or to all users (<strong id="EN-US_TOPIC_0000001188429040__b12959123817213">PUBLIC</strong>). For a new row-level access control policy, the default value <strong id="EN-US_TOPIC_0000001188429040__b11177155592112">PUBLIC</strong> will be used if you do not specify the user that will be affected.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001188429040__section12765201893310"><h4 class="sectiontitle">Precautions</h4><ul id="EN-US_TOPIC_0000001188429040__ul0606822105013"><li id="EN-US_TOPIC_0000001188429040__li5717812205115">Row-level access control policies can be defined for row-store tables, row-store partitioned tables, column-store tables, column-store partitioned tables, replication tables, unlogged tables, and hash tables.</li><li id="EN-US_TOPIC_0000001188429040__li1817414546507">Row-level access control policies cannot be defined for HDFS tables, foreign tables, and temporary tables.</li><li id="EN-US_TOPIC_0000001188429040__l964f3d68d79343ec895f266accae7521">Row-level access control policies cannot be defined for views.</li><li id="EN-US_TOPIC_0000001188429040__li11400107183312">A maximum of 100 row-level access control policies cannot be defined for a table.</li><li id="EN-US_TOPIC_0000001188429040__li155511718334">Users with administrator permissions and initial O&amp;M users (Ruby) are not subject to row-level access control and can view full data of the table.</li><li id="EN-US_TOPIC_0000001188429040__li107451922104418">Tables queried by using SQL statements, views, functions, and stored procedures are affected by row-level access control policies.</li><li id="EN-US_TOPIC_0000001188429040__li1812625922720">The type of a column on which a row-level access control policy depends cannot be changed. For example, the following modifications are not supported:<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen11920599328"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">ALTER</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="k">public</span><span class="p">.</span><span class="n">all_data</span><span class="w"> </span><span class="k">ALTER</span><span class="w"> </span><span class="k">COLUMN</span><span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="k">TYPE</span><span class="w"> </span><span class="nb">text</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001188429040__section16798192723415"><h4 class="sectiontitle">Syntax</h4><div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen4807142273712"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="k">ROW</span><span class="w"> </span><span class="k">LEVEL</span><span class="w"> </span><span class="k">SECURITY</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">POLICY</span><span class="w"> </span><span class="n">policy_name</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">table_name</span>
<span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="err">{</span><span class="w"> </span><span class="n">PERMISSIVE</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">RESTRICTIVE</span><span class="w"> </span><span class="err">}</span><span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="err">{</span><span class="w"> </span><span class="k">ALL</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">UPDATE</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">DELETE</span><span class="w"> </span><span class="err">}</span><span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="err">{</span><span class="w"> </span><span class="n">role_name</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">PUBLIC</span><span class="w"> </span><span class="err">}</span><span class="w"> </span><span class="p">[,</span><span class="w"> </span><span class="p">...]</span><span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="k">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">using_expression</span><span class="w"> </span><span class="p">)</span>
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="EN-US_TOPIC_0000001188429040__section11851526346"><h4 class="sectiontitle">Parameter Description</h4><ul id="EN-US_TOPIC_0000001188429040__ul1797082105710"><li id="EN-US_TOPIC_0000001188429040__l10d04a708e44432c8552ce5ae19edc79"><em id="EN-US_TOPIC_0000001188429040__i163991140112717">policy_name</em><p id="EN-US_TOPIC_0000001188429040__aa7b5db6826fb4cb2b492870e9a57f6e9">Specifies the name of a row-level access control policy to be created. The names of row-level access control policies for a table must be unique.</p>
</li><li id="EN-US_TOPIC_0000001188429040__ld8389117085641808615b13f1a9db00e"><em id="EN-US_TOPIC_0000001188429040__i15915413162914">table_name</em><p id="EN-US_TOPIC_0000001188429040__a618a27d6c2d648e488b84233937ff15c">Specifies the name of a table to which a row-level access control policy is applied.</p>
</li><li id="EN-US_TOPIC_0000001188429040__li23671960577"><strong id="EN-US_TOPIC_0000001188429040__b191466534158">PERMISSIVE</strong><p id="EN-US_TOPIC_0000001188429040__p236736145720">Specifies that the row-level access control policy is to be created as a permissive policy. For a given query, all applicable permissive policies are combined using the OR operator. Row-level access control policies are permissive by default.</p>
</li><li id="EN-US_TOPIC_0000001188429040__li68404815573"><strong id="EN-US_TOPIC_0000001188429040__b9534131101610">RESTRICTIVE</strong><p id="EN-US_TOPIC_0000001188429040__p0396942165716">Specifies that the row-level access control policy is to be created as a restrictive policy. For a given query, all applicable restrictive policies are combined using the AND operator.</p>
<div class="notice" id="EN-US_TOPIC_0000001188429040__n95706c955b064a6bb1a9c9b4587869d1"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001188429040__a4e2eaf842bd64d839214ff5de378ef6c">At least one permissive policy is required to grant access to data records. If only restrictive policies are used, no records will be accessible. When both permissive and restrictive policies are used, a record is accessible only when it passes at least one permissive policy and all restrictive policies.</p>
</div></div>
</li><li id="EN-US_TOPIC_0000001188429040__l7dc2a705b8484c5585b6fd66af58b22c"><em id="EN-US_TOPIC_0000001188429040__i17773164315292">command</em><p id="EN-US_TOPIC_0000001188429040__a5d44972e84d649f7b2836d6d25574319">Specifies the SQL operations affected by a row-level access control policy, including <strong id="EN-US_TOPIC_0000001188429040__b22511047153013">ALL</strong>, <strong id="EN-US_TOPIC_0000001188429040__b764419501309">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b7833165417305">UPDATE</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b917645943012">DELETE</strong>. If this parameter is not specified, the default value <strong id="EN-US_TOPIC_0000001188429040__b1599151683111">ALL</strong> will be used, covering <strong id="EN-US_TOPIC_0000001188429040__b199181943116">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b191801522133110">UPDATE</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b6768825203115">DELETE</strong>.</p>
<p id="EN-US_TOPIC_0000001188429040__p144561153115919">If <em id="EN-US_TOPIC_0000001188429040__i176845003117">command</em> is set to <strong id="EN-US_TOPIC_0000001188429040__b14958153143113">SELECT</strong>, only tuple data that meets the condition (the return value of <em id="EN-US_TOPIC_0000001188429040__i2335513103420">using_expression</em> is <strong id="EN-US_TOPIC_0000001188429040__b189614153346">TRUE</strong>) can be queried. The operations that are affected include <strong id="EN-US_TOPIC_0000001188429040__b9933833123410">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b257016451347">UPDATE.... RETURNING</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b56514111355">DELETE... RETURNING</strong>.</p>
<p id="EN-US_TOPIC_0000001188429040__p742517159271">If <em id="EN-US_TOPIC_0000001188429040__i0323191663515">command</em> is set to <strong id="EN-US_TOPIC_0000001188429040__b3326316203518">UPDATE</strong>, only tuple data that meets the condition (the return value of <em id="EN-US_TOPIC_0000001188429040__i03281616183512">using_expression</em> is <strong id="EN-US_TOPIC_0000001188429040__b63299169358">TRUE</strong>) can be updated. The operations that are affected include <strong id="EN-US_TOPIC_0000001188429040__b106661659103513">UPDATE</strong>, <strong id="EN-US_TOPIC_0000001188429040__b84401036368">UPDATE ... RETURNING</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b15297121113616">SELECT ... FOR UPDATE/SHARE</strong>.</p>
<p id="EN-US_TOPIC_0000001188429040__p576538133519">If <em id="EN-US_TOPIC_0000001188429040__i778917167364">command</em> is set to <strong id="EN-US_TOPIC_0000001188429040__b117928163365">DELETE</strong>, only tuple data that meets the condition (the return value of <em id="EN-US_TOPIC_0000001188429040__i19793111618369">using_expression</em> is <strong id="EN-US_TOPIC_0000001188429040__b11795191615365">TRUE</strong>) can be deleted. The operations that are affected include <strong id="EN-US_TOPIC_0000001188429040__b09989465368">DELETE</strong> and<strong id="EN-US_TOPIC_0000001188429040__b203481255153618"> DELETE ... RETURNING</strong>.</p>
<p id="EN-US_TOPIC_0000001188429040__p1876162412392">The following table describes the relationship between row-level access control policies and SQL statements.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001188429040__table198047342176" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Relationship between row-level security policies and SQL statements</caption><thead align="left"><tr id="EN-US_TOPIC_0000001188429040__row14804134141720"><th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.4.2.5.7.2.5.1.1"><p id="EN-US_TOPIC_0000001188429040__p15480134519170">Command</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.4.2.5.7.2.5.1.2"><p id="EN-US_TOPIC_0000001188429040__p68052034131718">SELECT/ALL Policy</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.4.2.5.7.2.5.1.3"><p id="EN-US_TOPIC_0000001188429040__p1780563415176">UPDATE/ALL Policy</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.4.2.5.7.2.5.1.4"><p id="EN-US_TOPIC_0000001188429040__p999710011189">DELETE/ALL Policy</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001188429040__row8805153420177"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p198427121816"><strong id="EN-US_TOPIC_0000001188429040__b39847712186">SELECT</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p11691414151820">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p2069141491810">No</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p96911141181">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001188429040__row88060345170"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p119842715181"><strong id="EN-US_TOPIC_0000001188429040__b179841175185">SELECT FOR UPDATE/SHARE</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p18691161415188">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p96921114181819">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p9692814151819">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001188429040__row28066347171"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p99841079188"><strong id="EN-US_TOPIC_0000001188429040__b119841971185">UPDATE</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p1769241415186">No</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p46921714201817">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p126921514111820">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001188429040__row7807434141711"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p098513761813"><strong id="EN-US_TOPIC_0000001188429040__b189853718182">UPDATE RETURNING</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p8693191411810">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p11693114171815">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p1869315142184">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001188429040__row980723420178"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p59855771815"><strong id="EN-US_TOPIC_0000001188429040__b1298517171813">DELETE</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p869361491810">No</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p1369451421818">No</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p1269413146181">Existing row</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001188429040__row5809133491710"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.1 "><p id="EN-US_TOPIC_0000001188429040__p1698557101810"><strong id="EN-US_TOPIC_0000001188429040__b119851970188">DELETE RETURNING</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.2 "><p id="EN-US_TOPIC_0000001188429040__p2694171421811">Existing row</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.3 "><p id="EN-US_TOPIC_0000001188429040__p1269401481815">No</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.4.2.5.7.2.5.1.4 "><p id="EN-US_TOPIC_0000001188429040__p19694121417189">Existing row</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="EN-US_TOPIC_0000001188429040__li191762417"><em id="EN-US_TOPIC_0000001188429040__i18274216124012">role_name</em><p id="EN-US_TOPIC_0000001188429040__p12809171364012">Specifies database users affected by a row-level access control policy.</p>
<p id="EN-US_TOPIC_0000001188429040__p791567418">If this parameter is not specified, the default value <strong id="EN-US_TOPIC_0000001188429040__b1142175934017">PUBLIC</strong> will be used, indicating that all database users will be affected. You can specify multiple affected database users.</p>
<div class="notice" id="EN-US_TOPIC_0000001188429040__n2040f1a1a91d43919bfb3baec9444bd1"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001188429040__a08982048baf14db4bba5f6b6f7687a09">System administrators are not affected by row access control.</p>
</div></div>
</li></ul>
</div>
<ul id="EN-US_TOPIC_0000001188429040__ul128779149498"><li id="EN-US_TOPIC_0000001188429040__li10877161416497"><em id="EN-US_TOPIC_0000001188429040__i8437114212411">using_expression</em><p id="EN-US_TOPIC_0000001188429040__p1111512144213">Specifies an expression defined for a row-level access control policy (return type: boolean).</p>
<p id="EN-US_TOPIC_0000001188429040__p270517316512">The expression cannot contain aggregate functions and window functions. In the statement rewriting phase of a query, if row-level access control for a data table is enabled, the expressions that meet the specified conditions will be added to the plan tree. The expression is calculated for each tuple in the data table. For <strong id="EN-US_TOPIC_0000001188429040__b19345172710468">SELECT</strong>, <strong id="EN-US_TOPIC_0000001188429040__b9550231194611">UPDATE</strong>, and <strong id="EN-US_TOPIC_0000001188429040__b1348744114463">DELETE</strong>, row data is visible to the current user only when the return value of the expression is <strong id="EN-US_TOPIC_0000001188429040__b96951252154616">TRUE</strong>. If the expression returns <strong id="EN-US_TOPIC_0000001188429040__b542740154711">FALSE</strong>, the tuple is invisible to the current user. In this case, the user cannot view the tuple through the <strong id="EN-US_TOPIC_0000001188429040__b1892412634710">SELECT</strong> statement, update the tuple through the <strong id="EN-US_TOPIC_0000001188429040__b1019303217477">UPDATE</strong> statement, or delete the tuple through the <strong id="EN-US_TOPIC_0000001188429040__b1031293644719">DELETE</strong> statement.</p>
</li></ul>
<div class="section" id="EN-US_TOPIC_0000001188429040__section17979101023515"><h4 class="sectiontitle">Examples</h4><p id="EN-US_TOPIC_0000001188429040__p17139105484616">Create user <strong id="EN-US_TOPIC_0000001188429040__b94409699133549">alice</strong>.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen329014393515"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">ROLE</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="n">PASSWORD</span><span class="w"> </span><span class="s1">'{Password}'</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p161391154134616">Create user <strong id="EN-US_TOPIC_0000001188429040__b202946424633549">bob</strong>.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen521125218510"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">ROLE</span><span class="w"> </span><span class="n">bob</span><span class="w"> </span><span class="n">PASSWORD</span><span class="w"> </span><span class="s1">'{Password}'</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p12139135404620">Create the data table <strong id="EN-US_TOPIC_0000001188429040__b44723557033549">public.all_data</strong>:</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen155040512544"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="k">public</span><span class="p">.</span><span class="n">all_data</span><span class="p">(</span><span class="n">id</span><span class="w"> </span><span class="nb">int</span><span class="p">,</span><span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">));</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p4138154134618">Insert data into the data table:</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen8544729513"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="k">VALUES</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="s1">'alice'</span><span class="p">,</span><span class="w"> </span><span class="s1">'alice data'</span><span class="p">);</span>
<span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="k">VALUES</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="s1">'bob'</span><span class="p">,</span><span class="w"> </span><span class="s1">'bob data'</span><span class="p">);</span>
<span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="k">VALUES</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="s1">'peter'</span><span class="p">,</span><span class="w"> </span><span class="s1">'peter data'</span><span class="p">);</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p10138165410466">Grant the read permission for the <strong id="EN-US_TOPIC_0000001188429040__b164124374633549">all_data</strong> table to users <strong id="EN-US_TOPIC_0000001188429040__b78991165233549">alice</strong> and <strong id="EN-US_TOPIC_0000001188429040__b158149253533549">bob</strong>:</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen2891147902"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">GRANT</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="n">alice</span><span class="p">,</span><span class="w"> </span><span class="n">bob</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p95014171977">Enable row-level access control.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen354714495289"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">ALTER</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="n">ENABLE</span><span class="w"> </span><span class="k">ROW</span><span class="w"> </span><span class="k">LEVEL</span><span class="w"> </span><span class="k">SECURITY</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p14137165434613">Create a row-level access control policy to specify that the current user can view only their own data:</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen42731683586"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">ROW</span><span class="w"> </span><span class="k">LEVEL</span><span class="w"> </span><span class="k">SECURITY</span><span class="w"> </span><span class="n">POLICY</span><span class="w"> </span><span class="n">all_data_rls</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">all_data</span><span class="w"> </span><span class="k">USING</span><span class="p">(</span><span class="k">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">CURRENT_USER</span><span class="p">);</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p613717544460">View information about the <strong id="EN-US_TOPIC_0000001188429040__b93098865633549">all_data</strong> table:</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen1887224815572"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span></pre></div></td><td class="code"><div><pre><span></span><span class="err">\</span><span class="n">d</span><span class="o">+</span><span class="w"> </span><span class="n">all_data</span>
<span class="w"> </span><span class="k">Table</span><span class="w"> </span><span class="ss">&quot;public.all_data&quot;</span>
<span class="w"> </span><span class="k">Column</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">Type</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Modifiers</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">Storage</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Stats</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Description</span>
<span class="c1">--------+------------------------+-----------+----------+--------------+-------------</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nb">integer</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">plain</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span>
<span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nb">character</span><span class="w"> </span><span class="nb">varying</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">extended</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span>
<span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nb">character</span><span class="w"> </span><span class="nb">varying</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">extended</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span>
<span class="k">Row</span><span class="w"> </span><span class="k">Level</span><span class="w"> </span><span class="k">Security</span><span class="w"> </span><span class="n">Policies</span><span class="p">:</span>
<span class="w"> </span><span class="n">POLICY</span><span class="w"> </span><span class="ss">&quot;all_data_rls&quot;</span>
<span class="w"> </span><span class="k">USING</span><span class="w"> </span><span class="p">(((</span><span class="k">role</span><span class="p">)::</span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;current_user&quot;</span><span class="p">()))</span>
<span class="n">Has</span><span class="w"> </span><span class="k">OIDs</span><span class="p">:</span><span class="w"> </span><span class="k">no</span>
<span class="n">Distribute</span><span class="w"> </span><span class="k">By</span><span class="p">:</span><span class="w"> </span><span class="n">HASH</span><span class="p">(</span><span class="n">id</span><span class="p">)</span>
<span class="k">Location</span><span class="w"> </span><span class="n">Nodes</span><span class="p">:</span><span class="w"> </span><span class="k">ALL</span><span class="w"> </span><span class="n">DATANODES</span>
<span class="k">Options</span><span class="p">:</span><span class="w"> </span><span class="n">orientation</span><span class="o">=</span><span class="k">row</span><span class="p">,</span><span class="w"> </span><span class="n">compression</span><span class="o">=</span><span class="k">no</span><span class="p">,</span><span class="w"> </span><span class="n">enable_rowsecurity</span><span class="o">=</span><span class="k">true</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p141351854144620">Run <strong id="EN-US_TOPIC_0000001188429040__b102452024133549">SELECT</strong>.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen7664189115716"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">all_data</span><span class="p">;</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">data</span>
<span class="c1">----+-------+------------</span>
<span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="k">data</span>
<span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">bob</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">bob</span><span class="w"> </span><span class="k">data</span>
<span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">peter</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">peter</span><span class="w"> </span><span class="k">data</span>
<span class="p">(</span><span class="mi">3</span><span class="w"> </span><span class="k">rows</span><span class="p">)</span>
<span class="k">EXPLAIN</span><span class="p">(</span><span class="n">COSTS</span><span class="w"> </span><span class="k">OFF</span><span class="p">)</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">all_data</span><span class="p">;</span>
<span class="w"> </span><span class="n">QUERY</span><span class="w"> </span><span class="n">PLAN</span>
<span class="c1">----------------------------</span>
<span class="w"> </span><span class="n">Streaming</span><span class="w"> </span><span class="p">(</span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="n">GATHER</span><span class="p">)</span>
<span class="w"> </span><span class="n">Node</span><span class="o">/</span><span class="n">s</span><span class="p">:</span><span class="w"> </span><span class="k">All</span><span class="w"> </span><span class="n">datanodes</span>
<span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="n">Seq</span><span class="w"> </span><span class="n">Scan</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">all_data</span>
<span class="p">(</span><span class="mi">3</span><span class="w"> </span><span class="k">rows</span><span class="p">)</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p1313410540462">Switch to the <strong id="EN-US_TOPIC_0000001188429040__b71506908033549">alice</strong> user.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen210192118564"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">set</span><span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="s1">'{Password}'</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001188429040__p813415410462">Perform the SELECT operation.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001188429040__screen3275331145617"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span>
<span class="normal">15</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">all_data</span><span class="p">;</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">role</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">data</span>
<span class="c1">----+-------+------------</span>
<span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">alice</span><span class="w"> </span><span class="k">data</span>
<span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="k">row</span><span class="p">)</span>
<span class="k">EXPLAIN</span><span class="p">(</span><span class="n">COSTS</span><span class="w"> </span><span class="k">OFF</span><span class="p">)</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">all_data</span><span class="p">;</span>
<span class="w"> </span><span class="n">QUERY</span><span class="w"> </span><span class="n">PLAN</span>
<span class="c1">----------------------------------------------------------------</span>
<span class="w"> </span><span class="n">Streaming</span><span class="w"> </span><span class="p">(</span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="n">GATHER</span><span class="p">)</span>
<span class="w"> </span><span class="n">Node</span><span class="o">/</span><span class="n">s</span><span class="p">:</span><span class="w"> </span><span class="k">All</span><span class="w"> </span><span class="n">datanodes</span>
<span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="n">Seq</span><span class="w"> </span><span class="n">Scan</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">all_data</span>
<span class="w"> </span><span class="n">Filter</span><span class="p">:</span><span class="w"> </span><span class="p">((</span><span class="k">role</span><span class="p">)::</span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'alice'</span><span class="p">::</span><span class="n">name</span><span class="p">)</span>
<span class="w"> </span><span class="n">Notice</span><span class="p">:</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">query</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">influenced</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="k">level</span><span class="w"> </span><span class="k">security</span><span class="w"> </span><span class="n">feature</span>
<span class="p">(</span><span class="mi">5</span><span class="w"> </span><span class="k">rows</span><span class="p">)</span>
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="EN-US_TOPIC_0000001188429040__section1426016489355"><h4 class="sectiontitle">Helpful Links</h4><p id="EN-US_TOPIC_0000001188429040__p9325125517354"><a href="dws_06_0200.html">DROP ROW LEVEL SECURITY POLICY</a></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_06_0118.html">DDL Syntax</a></div>
</div>
</div>
View Git Blame Copy Permalink