Skip to content

Apply SELECT policies if RETURNING has cols #19720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Apply SELECT policies if RETURNING has cols #19720

wants to merge 3 commits into from

Conversation

rmloveland
Copy link
Contributor

Fixes DOC-13890

@rmloveland rmloveland requested a review from spilchen June 5, 2025 20:24
@netlify Netlify
Copy link

netlify bot commented Jun 5, 2025
edited
Loading

Deploy Preview for cockroachdb-api-docs canceled.

Name Link
🔨 Latest commit 82d8fa7
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-api-docs/deploys/684c7e71c86ddb00085aab26

@netlify Netlify
Copy link

netlify bot commented Jun 5, 2025
edited
Loading

Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name Link
🔨 Latest commit 82d8fa7
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-interactivetutorials-docs/deploys/684c7e7122facf0008b31cbd

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

Files changed:

@netlify Netlify
Copy link

netlify bot commented Jun 5, 2025
edited
Loading

Netlify Preview

Name Link
🔨 Latest commit 82d8fa7
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-docs/deploys/684c7e7166d8c300082c01f6
😎 Deploy Preview https://deploy-preview-19720--cockroachdb-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

spilchen
spilchen reviewed Jun 6, 2025
View reviewed changes
src/current/v25.2/create-policy.md
@@ -66,7 +66,6 @@ The following table shows which policies are applied to which statement types, w

Additional considerations include:

- `SELECT` evaluation: CockroachDB always evaluates `SELECT` (`USING`) policies for `INSERT`, `UPDATE`, and `DELETE`, even when the statement doesn't reference table columns.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we include further details as to when the SELECT policies will be applied during an INSERT/UPDATE/DELETE? SELECT policies are always applied during the fetch of the existing row (for UPDATE or DELETE). If a column is referenced in the WHERE, SET or RETURNING clause, then SELECT policies will also get applied during the write.

I think the postgres docs handled this by adding superscript numbers to the above table as an additional addendum.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've taken a shot at addressing this feedback in 8af8a1f

tried to incorporate the info from your comment and add some superscripts and more explanation

PTAL!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During writes, the SELECT policy is always applied to the existing row. For the new row being inserted or updated, it's only applied if that row is referenced in the WHERE, SET, or RETURNING clause, since those clauses require reading from it.

It might be worth adding a column to the chart for this distinction.

The values for chart would be:

Command / SELECT policy - USING (row that already exists) / SELECT POLICY - USING (row being added)
SELECT / ✓ / -
SELECT … FOR UPDATE / ✓ / -
INSERT / - / ✓
INSERT … RETURNING / - / ✓(a)
UPDATE / ✓ / ✓(a)
DELETE / ✓ / -
INSERT … ON CONFLICT / ✓(b) / ✓(b)
UPSERT / ✓(b) / ✓(b)

For UPSERT and it's variants, we have slightly different behaviour. So, I added (b) which means:

  • (b) A USING policy failure causes the statement to fail. Normally, USING filters out rows silently.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for explaining this @spilchen! still wrapping my head around some of this stuff. I took a shot at incorporating your feedback in 82d8fa7, PTAL when you get a chance. I think it's faithful to your comment with just light edits, but pls let me know

@rmloveland rmloveland requested a review from spilchen June 10, 2025 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spilchen spilchen Awaiting requested review from spilchen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rmloveland @spilchen