You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/current/v25.2/alter-table.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -60,7 +60,7 @@ Subcommand | Description | Can combine with other subcommands?
60
60
[`RENAME TO`](#rename-to) | Change the names of tables. | No
61
61
[`RESET {storage parameter}`](#reset-storage-parameter) | Reset a storage parameter on a table to its default value. | Yes
62
62
[`(ENABLE, DISABLE) ROW LEVEL SECURITY`](#enable-disable-row-level-security) | Enable or disable [row-level security]({% link {{ page.version.version }}/row-level-security.md %}) for a table. | Yes
63
-
[`(FORCE, NO FORCE) ROW LEVEL SECURITY`](#force-unforce-row-level-security) | Force the table owner to be subject to [row-level security]({% link {{ page.version.version }}/row-level-security.md %}) policies defined on a table. | No
63
+
[`(FORCE, NO FORCE) ROW LEVEL SECURITY`](#force-row-level-security) | Force the table owner to be subject to [row-level security]({% link {{ page.version.version }}/row-level-security.md %}) policies defined on a table. | Yes
64
64
[`SET {storage parameter}`](#set-storage-parameter) | Set a storage parameter on a table. | Yes
65
65
[`SET LOCALITY`](#set-locality) | Set the table locality for a table in a [multi-region database]({% link {{ page.version.version }}/multiregion-overview.md %}). | No
66
66
[`SET SCHEMA`](#set-schema) | Change the [schema]({% link {{ page.version.version }}/sql-name-resolution.md %}) of a table. | No
@@ -477,7 +477,7 @@ For usage, see [Synopsis](#synopsis).
477
477
For examples, see [Enable and disable row-level security](#enable-and-disable-row-level-security).
478
478
479
479
{{site.data.alerts.callout_info}}
480
-
RLS applies to a table **only when explicitly enabled** using `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`. Roles exempt from RLS policies include [admins]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles), [table owners]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) (unless the table is set to [`FORCE ROW LEVEL SECURITY`](#force-and-unforce-row-level-security)), and [roles with `BYPASSRLS`]({% link {{ page.version.version }}/alter-role.md %}#allow-a-role-to-bypass-row-level-security-rls).
480
+
RLS applies to a table **only when explicitly enabled** using `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`. Roles exempt from RLS policies include [admins]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles), [table owners]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) (unless the table is set to [`FORCE ROW LEVEL SECURITY`](#force-row-level-security)), and [roles with `BYPASSRLS`]({% link {{ page.version.version }}/alter-role.md %}#allow-a-role-to-bypass-row-level-security-rls).
481
481
{{site.data.alerts.end}}
482
482
483
483
#### Required privileges
@@ -497,7 +497,7 @@ The user must be a member of the [`admin`]({% link {{ page.version.version }}/se
497
497
498
498
Use this statement when you need to ensure that all access, including by the table owner, adheres to the defined RLS policies. For example, in production or multi-tenant environments where all roles (including administrators) must operate under policy constraints. Note that this statement only has an affect if [`ALTER TABLE ... ENABLE ROW LEVEL SECURITY`](#enable-disable-row-level-security) is also set.
499
499
500
-
For examples, see [Force and unforce row-level security](#force-and-unforce-row-level-security).
500
+
For examples, see [Force row-level security](#force-row-level-security).
501
501
502
502
{{site.data.alerts.callout_danger}}
503
503
Users with the `BYPASSRLS`[role option]({% link {{ page.version.version }}/security-reference/authorization.md %}#role-options) can still bypass RLS even when `ALTER TABLE ... FORCE ROW LEVEL SECURITY` is enabled.
RLS applies to a table **only when explicitly enabled** using `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`. Roles exempt from RLS policies include [admins]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles), [table owners]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) (unless the table is set to [`FORCE ROW LEVEL SECURITY`](#force-and-unforce-row-level-security)), and [roles with `BYPASSRLS`]({% link {{ page.version.version }}/alter-role.md %}#allow-a-role-to-bypass-row-level-security-rls).
3098
+
RLS applies to a table **only when explicitly enabled** using `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`. Roles exempt from RLS policies include [admins]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles), [table owners]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) (unless the table is set to [`FORCE ROW LEVEL SECURITY`](#force-row-level-security)), and [roles with `BYPASSRLS`]({% link {{ page.version.version }}/alter-role.md %}#allow-a-role-to-bypass-row-level-security-rls).
3099
3099
{{site.data.alerts.end}}
3100
3100
3101
-
### Force and unforce row-level security
3101
+
### Force row-level security
3102
3102
3103
3103
To ensure that all access, including by the table [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership), adheres to the defined [row-level security]({% link {{ page.version.version }}/row-level-security.md %}) policies, issue the following statement:
Copy file name to clipboardExpand all lines: src/current/v25.2/create-policy.md
+6-8Lines changed: 6 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ CREATE POLICY [ IF NOT EXISTS ] policy_name ON table_name
34
34
35
35
Parameter | Description
36
36
----------|------------
37
-
`IF NOT EXISTS` | Used to specify that the policy will only be created if one with the same `policy_name` does not already exist on `table_name`.
37
+
`IF NOT EXISTS` | Used to specify that the policy will only be created if one with the same `policy_name` does not already exist on `table_name`. If a policy with that name does already exist, the statement will not return an error if this parameter is used.
38
38
`policy_name` | Unique identifier for the policy on the table.
39
39
`table_name` | The [table]({% link {{ page.version.version }}/schema-design-table.md %}) to which the policy applies.
40
40
`AS { PERMISSIVE, RESTRICTIVE }` | (**Default**: `PERMISSIVE`.) For `PERMISSIVE`, policies are combined using `OR`. A row is accessible if *any* permissive policy grants access. For `RESTRICTIVE`, policies are combined using `AND`. The overall policy enforcement is determined by evaluating a logical expression of the form: `(permissive policies) AND (restrictive policies)`. This means that all restrictive policies must grant access for a row to be accessible, and restrictive policies are evaluated *after* permissive policies. This means that you need to have at least one `PERMISSIVE` policy in place before applying `RESTRICTIVE` policies. If any restrictive policy denies access, the row is inaccessible, regardless of the permissive policies.
@@ -56,18 +56,16 @@ The following table shows which policies are applied to which statement types, w
56
56
|`SELECT`| ✓ | — | — | — | — |
57
57
|`SELECT ... FOR UPDATE / FOR SHARE`| ✓ | — | ✓ | — | — |
58
58
|`INSERT`| — | ✓ | — | — | — |
59
-
|`INSERT ... RETURNING`| ✓ ‡| ✓ | — | — | — |
60
-
|`UPDATE`| ✓ ‡| — | ✓ | ✓ | — |
61
-
|`DELETE`| ✓ ‡| — | — | — | ✓ |
59
+
|`INSERT ... RETURNING`| ✓ | ✓ | — | — | — |
60
+
|`UPDATE`| ✓ | — | ✓ | ✓ | — |
61
+
|`DELETE`| ✓ | — | — | — | ✓ |
62
62
|`INSERT ... ON CONFLICT DO UPDATE`| ✓ | — | ✓ | ✓ | — |
63
63
|`UPSERT`| ✓ | — | ✓ | ✓ | — |
64
64
65
-
‡ The `SELECT` check is only evaluated when the statement actually needs to read from the relation, e.g., in a `WHERE`, `SET`, or `RETURNING` clause that references table columns.
66
-
67
65
Additional considerations include:
68
66
69
67
-`SELECT` evaluation: CockroachDB always evaluates `SELECT` (`USING`) policies for `INSERT`, `UPDATE`, and `DELETE`, even when the statement doesn't reference table columns.
70
-
-`ON CONFLICT ... DO NOTHING`: CockroachDB still runs constraint and row-level policy checks on the `VALUES` clause even when the candidate row is discarded because of a conflict. This is a known limitation described in [cockroachdb/cockroach#35370](https://github.com/cockroachdb/cockroach/issues/35370).
68
+
-`ON CONFLICT ... DO NOTHING`: CockroachDB does not run the constraint and row-level policy checks on the `VALUES` clause if the candidate row has a conflict. This is a known limitation described in [cockroachdb/cockroach#35370](https://github.com/cockroachdb/cockroach/issues/35370).
71
69
72
70
## Examples
73
71
@@ -98,7 +96,7 @@ CREATE POLICY user_orders_policy ON orders
98
96
-[`DROP POLICY`]({% link {{ page.version.version }}/drop-policy.md %})
99
97
-[`SHOW POLICIES`]({% link {{ page.version.version }}/show-policies.md %})
-[`ALTER TABLE ... (FORCE, NO FORCE) ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#force-unforce-row-level-security).
129
+
-[`ALTER TABLE ... (FORCE, NO FORCE) ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#force-row-level-security).
130
130
131
131
### RLS for Data Security (Fine-Grained Access Control)
132
132
@@ -188,7 +188,7 @@ GRANT SELECT ON employees TO employee;
188
188
189
189
#### Enable row-level security for fine-grained access control
190
190
191
-
Next, enable row-level security using the [`ALTER TABLE ... ENABLE ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#enable-disable-row-level-security) statement. Optionally, you may want to ensure that the table owner is also subject to RLS using [`ALTER TABLE ... FORCE ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#force-unforce-row-level-security).
191
+
Next, enable row-level security using the [`ALTER TABLE ... ENABLE ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#enable-disable-row-level-security) statement. Optionally, you may want to ensure that the table owner is also subject to RLS using [`ALTER TABLE ... FORCE ROW LEVEL SECURITY`]({% link {{ page.version.version }}/alter-table.md %}#force-row-level-security).
192
192
193
193
{% include_cached copy-clipboard.html %}
194
194
~~~sql
@@ -456,7 +456,7 @@ CREATE POLICY tenant_isolation ON invoices
456
456
Explanation of policy:
457
457
458
458
-`AS PERMISSIVE`: Necessary because you need at least one permissive policy. The permissive policy above has logic to show results for a default tenant ID if the `application_name` is omitted or improperly formatted.
459
-
-`AS RESTRICTIVE`: Makes the policy mandatory. If other policies exist, they must *also* pass. For simple tenant isolation, this is often the safest default.
459
+
-`AS RESTRICTIVE`: Makes the policy mandatory. If other policies exist, they must *also* pass. For simple tenant isolation, this is often the safest default. The restrictive policy above applies to the `app_dev` role, so that anyone assigned to the `app_dev` role must use the correctly formatted `application_name`, and is not allowed to fallback to the default tenant ID.
460
460
-`FOR ALL`: Covers all data modification and retrieval.
461
461
-`TO PUBLIC`: Applies the policy broadly. Roles should primarily manage table-level access using `GRANT`, while this policy handles row-level visibility.
462
462
-`USING`: Ensures queries only see rows matching the session's tenant ID, which is passed in using the `application_name` session variable and extracted using the `split_part` function.
@@ -533,7 +533,7 @@ For a demo showing how to combine Row-level security with [Multi-region SQL]({%
533
533
-[`ALTER POLICY`]({% link {{ page.version.version }}/alter-policy.md %})
534
534
-[`DROP POLICY`]({% link {{ page.version.version }}/drop-policy.md %})
0 commit comments