Thanks to visit codestin.com
Credit goes to github.com

Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: postgresql-cfbot/postgresql
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: cf/6054~1
Choose a base ref
...
head repository: postgresql-cfbot/postgresql
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: cf/6054
Choose a head ref
  • 4 commits
  • 13 files changed
  • 2 contributors

Commits on Dec 27, 2025

  1. add RangeTblEntry to CreatePolicyStmt 

    Currently CreatePolicy is only directly called through parser.  But imagine
copying policies from one table to another table (CREATE TABLE LIKE INCLUDING
POLICIES) or changing a column's data type (ALTER COLUMN SET DATA TYPE). In these
case, CreatePolicy will be called indirectly, either via the parser, or by
constructing a CreatePolicyStmt node from catalog metadata.

These indirectly called CreatePolicy may cause repeated lookup CreatePolicyStmt->table
RangeVar.  (The relation already exists, but lookup up again via RangeVar).

Generally we should avoid look up the same less-than-fully-qualified name
multiple times, we might get different answers due to concurrent activity, and
that might create a security vulnerability, along the lines of CVE-2014-0062.

To avoid that, Add add a RangeTblEntry Node to CreatePolicyStmt, So we can
record the Relation Oid advance.

discussion: https://postgr.es/m/CACJufxE42vysVEDEmaoBGmGYLZTCgUAwh_h-c9dcSLDtD5jE3g@mail.gmail.com
discussion: https://postgr.es/m/CACJufxFuEOB-i2z2qhyCG=dGwDf7g6Fs_o8cz=BUi76UuUFSOA@mail.gmail.com
    @jianhe-fun
    jianhe-fun authored and Commitfest Bot committed Dec 27, 2025
    Configuration menu
    Copy the full SHA
    8975809 View commit details
    Browse the repository at this point in the history

  2. refactoring CreatePolicy: split policy qual, check qual 

    Currently CreatePolicy is only directly called through parser.  But imagine
copying policies from one table to another table (CREATE TABLE LIKE INCLUDING
POLICIES) or changing a column's data type (ALTER COLUMN SET DATA TYPE). In these
case, CreatePolicy will be called indirectly, either via the parser
(indirectly), or by constructing a CreatePolicyStmt node from pg_policy catalog.

As mentioned above, if we directly use pg_policy catalog info for constructing a
new CreatePolicyStmt node, then the policy qual, with_check qual in the new node
doesn't need to run parse analysis again, in fact, if we do parse analysis for
transformed node again, it will fail.

Another reason for refactoring is we may need to do parse analysis earlier
because we can only use CreatePolicyStmt.rte, not CreatePolicyStmt.table.

Overall splitting CreatePolicy qual, check qual parse analysis into a separate
function will make CreatePolicy more neat.

If you follow the call chain transformWhereClause -> transformExpr ->
transformExprRecurse -> transformSubLink -> parse_sub_analyze, you can see that
ParseState.p_rtable is not modified during transformWhereClause.

Therefore, it is safe to pass a single RTE list to recordDependencyOnExpr during
CreatePolicy.

discussion: https://postgr.es/m/CACJufxE42vysVEDEmaoBGmGYLZTCgUAwh_h-c9dcSLDtD5jE3g@mail.gmail.com
discussion: https://postgr.es/m/CACJufxFuEOB-i2z2qhyCG=dGwDf7g6Fs_o8cz=BUi76UuUFSOA@mail.gmail.com
    @jianhe-fun
    jianhe-fun authored and Commitfest Bot committed Dec 27, 2025
    Configuration menu
    Copy the full SHA
    67cb96e View commit details
    Browse the repository at this point in the history

  3. ALTER TABLE command to change policy 

    This change prevents ALTER TABLE … ALTER COLUMN SET DATA TYPE from failing when
the column has dependent policy objects, whereas previously it would raise an
error.

The approach closely mirrors how statistics are rebuilt: identify all policy
objects that need to be rebuilt, construct their CREATE definitions, and then
recreate those objects.

However, we must fail when the qual or WITH CHECK clause contains a subquery.
Otherwise, we would need to acquire AccessExclusiveLock on the referenced tables
too, which seems not good, for example, changing dtaa type in table t would also
lock table t1 in AccessExclusiveLock

CREATE TABLE t(a int);
CREATE TABLE t1(a int);
CREATE POLICY p2 ON t1 AS PERMISSIVE USING ((SELECT t.a IS NOT NULL FROM t));
ALTER TABLE t ALTER COLUMN a SET DATA TYPE INT8;
ERROR:  cannot alter type of a column used by a policy definition when the policy contains subquery
DETAIL:  policy p2 on table t depends on column "a"

Another reason to disallow subqueries in qual or WITH CHECK clauses is that,
internally, we reconstruct policy definitions. Recreating such policies can
trigger repeated RangeVar name lookups, leading to correctness and robustness
issues.

discussion: https://postgr.es/m/CACJufxE42vysVEDEmaoBGmGYLZTCgUAwh_h-c9dcSLDtD5jE3g@mail.gmail.com
    @jianhe-fun
    jianhe-fun authored and Commitfest Bot committed Dec 27, 2025
    Configuration menu
    Copy the full SHA
    d713bef View commit details
    Browse the repository at this point in the history

  4. [CF 6054] v3 - let ALTER COLUMN SET DATA TYPE cope with POLICY depend… 

    …ency

This branch was automatically generated by a robot using patches from an
email thread registered at:

https://commitfest.postgresql.org/patch/6054

The branch will be overwritten each time a new patch version is posted to
the thread, and also periodically to check for bitrot caused by changes
on the master branch.

Patch(es): https://www.postgresql.org/message-id/CACJufxGOVnwYA90nYfRAGue6e_UYNm_mSnaNEU1npfgjtydb=w@mail.gmail.com
Author(s): Jian He
    Commitfest Bot committed Dec 27, 2025
    Configuration menu
    Copy the full SHA
    2505234 View commit details
    Browse the repository at this point in the history
Loading