sql/opt: Generate synthetic check constraint to enforce RLS policies for new rows #141614
Conversation
…for new rows With row-level security, policies include a WITH CHECK expression to enforce constraints on new rows. This commit begins adding support for enforcing these policies by modifying the optbuilder to construct the check constraint, evaluate the expression, and pass the result to the execution engine. A future commit will integrate the execution engine to fully enforce these policies. Since the expression for the synthetic check constraint is determined at INSERT or UPDATE time, a placeholder check constraint is added when building the optimizer table catalog. The check constraint is then finalized in the mutationBuilder. Because the check constraint is constructed late in the process, a function is needed to look up the column ordinal for a given column ID. To facilitate this, the previously internal function lookupColumnOrdinal has been made external as LookupColumnOrdinal. Epic: CRDB-45203 Release note: None Informs: cockroachdb#136704
|
This change is |
There was a problem hiding this comment.
Reviewed 3 of 11 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @mgartner and @michae2)
pkg/sql/opt_catalog.go line 1146 at r1 (raw file):
synthesizedChecks = append(synthesizedChecks, optCheckConstraint{ isRLSConstraint: true, })
It seems unfortunate to introduce a new type of check constraint to the list that has to be handled differently and requires new plumbing. Would it be possible to make mutationBuilder.addCheckConstraintCols directly check for RLS policies rather than adding a dummy constraint?
pkg/sql/opt/optbuilder/mutation_builder.go line 894 at r1 (raw file):
tabMeta: mb.md.TableMeta(mb.tabID), oc: mb.b.catalog, user: mb.checkPrivilegeUser,
nit: it looks like this is the only place where mutationBuilder.checkPrivilegeUser is used. Can we get rid of it and just do mb.b.checkPrivilegeUser here instead?
With row-level security, policies include a WITH CHECK expression to enforce constraints on new rows. This commit begins adding support for enforcing these policies by modifying the optbuilder to construct the check constraint, evaluate the expression, and pass the result to the execution engine. A future commit will integrate the execution engine to fully enforce these policies.
Since the expression for the synthetic check constraint is determined at INSERT or UPDATE time, a placeholder check constraint is added when building the optimizer table catalog. The check constraint is then finalized in the mutationBuilder.
Because the check constraint is constructed late in the process, a function is needed to look up the column ordinal for a given column ID. To facilitate this, the previously internal function lookupColumnOrdinal has been made external as LookupColumnOrdinal.
Epic: CRDB-45203
Release note: None
Informs: #136704