Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: validate RLS policy exemptions for constraints #143079

Merged
merged 1 commit into from
Mar 20, 2025
Merged

sql: validate RLS policy exemptions for constraints #143079

merged 1 commit into from
Mar 20, 2025

Conversation

spilchen
Copy link
Contributor

Unique and foreign key constraints on tables with row-level security (RLS) enabled are exempt from RLS policies when enforcing constraints. This exemption was implemented previously. This commit adds tests to validate that RLS policies do not interfere with constraint enforcement.

Closes #136747

Epic: CRDB-45203
Release note: none

@spilchen spilchen self-assigned this Mar 18, 2025
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@spilchen spilchen marked this pull request as ready for review March 18, 2025 18:30
@spilchen spilchen requested a review from a team March 18, 2025 18:30
rafiss
rafiss approved these changes Mar 19, 2025
View reviewed changes
Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! as a possible additional test, would it be worth testing a CHECK constraint as well?

@spilchen
sql: validate RLS policy exemptions for constraints
Loading
Loading status checks…
7a7f2cc 
Unique and foreign key constraints on tables with row-level security
(RLS) enabled are exempt from RLS policies when enforcing constraints.
This exemption was implemented previously. This commit adds tests to
validate that RLS policies do not interfere with constraint enforcement.

Closes cockroachdb#136747

Epic: CRDB-45203
Release note: none
@spilchen spilchen force-pushed the gh-136747/250318/1143/fk-uniq-rls/pr-ready branch from 2ead183 to 7a7f2cc Compare March 20, 2025 19:17
@spilchen
Copy link
Contributor Author

lgtm! as a possible additional test, would it be worth testing a CHECK constraint as well?

Good idea. I added a subtest to mix CHECK constraints and RLS policies.

@spilchen
Copy link
Contributor Author

TFTR!

bors r+

@craig
Copy link
Contributor

craig bot commented Mar 20, 2025

Build succeeded:

@craig craig bot merged commit 65d7800 into cockroachdb:master Mar 20, 2025
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafiss rafiss

Assignees

@spilchen spilchen

Labels
target-release-25.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sql: Skip RLS policies when table is access for FK relationship and unique/PK constraints
3 participants
@spilchen @cockroach-teamcity @rafiss