Menu
the PostgreSQL-Documentation describes how to create or drop a row policy, but not how to get a list of the existing ones. My aim is to be able to know, by using pgAdmin, if there are row policies affecting a table and how they work.
Thanks!
266
Row level security (RLS for short) is a PostgreSQL security feature provided by the open source PostgreSQL database. It allows database administrators to define policies to control how specific rows of data display and operate for one or more roles.
To find the name of a constraint in PostgreSQL, use the view pg_constraint in the pg_catalog schema. Join the view pg_catalog. pg_constraint with the view pg_class ( JOIN pg_class t ON t. oid = c.
A policy grants the permission to select, insert, update, or delete rows that match the relevant policy expression. Existing table rows are checked against the expression specified in USING , while new rows that would be created via INSERT or UPDATE are checked against the expression specified in WITH CHECK .
To list down all tables columns on a specific table in the a PostgreSQL database using psql command-line, you can use \dS your_table_name.
More helpful than catalog view pg_policy is pg_policies. You see what table it applies to and even what the policy does (though that seems to get truncated).
So just run: select * from pg_policies
which actually boils down to this (thanks to @jmelesky):
SELECT n.nspname AS schemaname,
c.relname AS tablename,
pol.polname AS policyname,
CASE
WHEN pol.polpermissive THEN 'PERMISSIVE'::text
ELSE 'RESTRICTIVE'::text
END AS permissive,
CASE
WHEN pol.polroles = '{0}'::oid[] THEN string_to_array('public'::text, ''::text)::name[]
ELSE ARRAY( SELECT pg_authid.rolname
FROM pg_authid
WHERE pg_authid.oid = ANY (pol.polroles)
ORDER BY pg_authid.rolname)
END AS roles,
CASE pol.polcmd
WHEN 'r'::"char" THEN 'SELECT'::text
WHEN 'a'::"char" THEN 'INSERT'::text
WHEN 'w'::"char" THEN 'UPDATE'::text
WHEN 'd'::"char" THEN 'DELETE'::text
WHEN '*'::"char" THEN 'ALL'::text
ELSE NULL::text
END AS cmd,
pg_get_expr(pol.polqual, pol.polrelid) AS qual,
pg_get_expr(pol.polwithcheck, pol.polrelid) AS with_check
FROM pg_policy pol
JOIN pg_class c ON c.oid = pol.polrelid
LEFT JOIN pg_namespace n ON n.oid = c.relnamespace;
There is a catalog view that holds what you want: pg_policy. It's a little obscure, but it holds what you need.
# \d pg_policy
Table "pg_catalog.pg_policy"
Column | Type | Modifiers
--------------+--------------+-----------
polname | name | not null
polrelid | oid | not null
polcmd | "char" | not null
polroles | oid[] |
polqual | pg_node_tree |
polwithcheck | pg_node_tree |
Indexes:
"pg_policy_oid_index" UNIQUE, btree (oid)
"pg_policy_polrelid_polname_index" UNIQUE, btree (polrelid, polname)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
