feat: add PostgreSQL Row Level Security (RLS) support (#2345)

* feat: add PostgreSQL Row Level Security (RLS) support

Add support for PostgreSQL Row Level Security statements:
- CREATE POLICY with full syntax (FOR, TO, USING, WITH CHECK clauses)
- ALTER TABLE ENABLE/DISABLE/FORCE/NO FORCE ROW LEVEL SECURITY

Changes:
- New CreatePolicy AST class for CREATE POLICY statements
- Added RLS operations to AlterOperation enum
- Updated grammar with POLICY, LEVEL, SECURITY keywords
- Fixed grammar conflicts with LOOKAHEAD directives
- Updated all visitor interfaces and implementations
- Added comprehensive unit tests (19 tests, 100% passing)
- Updated README.md with new features

All code quality checks passing:
- CheckStyle: 0 violations
- PMD: passed

* fix: correct grammar alternative ordering for RLS statements

Fixed parser failures when parsing PostgreSQL Row Level Security (RLS)
statements by reordering grammar alternatives to check more specific
patterns before less specific ones.

Problem:
- ALTER TABLE ... ENABLE/DISABLE ROW LEVEL SECURITY failed to parse
- Parser was incorrectly choosing ENABLE/DISABLE KEYS path first
- Grammar warning about WITH keyword conflict in CREATE POLICY

Solution:
1. Reordered ENABLE alternatives: ENABLE ROW LEVEL SECURITY now checked
   before ENABLE KEYS (lines 9674-9684)
2. Reordered DISABLE alternatives: DISABLE ROW LEVEL SECURITY now checked
   before DISABLE KEYS (lines 9661-9671)
3. Added LOOKAHEAD(2) to WITH CHECK clause in CREATE POLICY to resolve
   conflict with CTEs (line 10470)

Impact:
- All 19 existing RLS tests pass (8 AlterRowLevelSecurityTest,
  11 CreatePolicyTest)
- WITH keyword conflict warning eliminated
- Parser can now handle real-world SQL migration files with RLS statements
- No regressions in existing functionality

Technical Note:
In JavaCC, when multiple alternatives share a common prefix (like ENABLE),
the more specific pattern (longer token sequence) must appear FIRST in the
grammar to be matched correctly. LOOKAHEAD values help disambiguate, but
ordering is critical for correct parsing.

* fix: allow RLS keywords (LEVEL, POLICY, SECURITY) as aliases

Added K_LEVEL, K_POLICY, and K_SECURITY tokens to RelObjectNameWithoutStart()
production to allow these keywords to be used as column aliases in addition to
table/column names. This resolves the conflict where RLS keywords were breaking
Oracle hierarchical queries and keywords-as-identifiers tests.

The fix maintains RLS functionality while allowing these keywords to work in all
SQL contexts including aliases (e.g., SELECT col AS level).

* chore: update keywords after running updateKeywords task

After running `./gradlew updateKeywords`, the task automatically added
LEVEL, POLICY, and SECURITY keywords to RelObjectNameWithoutValue() in
alphabetical order (line 3275).

Removed redundant manual additions from RelObjectName() and
RelObjectNameWithoutStart() that were causing unreachable statement
compilation errors.

The keywords are now properly maintained in the canonical location
(RelObjectNameWithoutValue) and will work as identifiers in all contexts.

Tests: All 4154 tests passing

* run ./gradlew spotlessApply

* fix: complete TablesNamesFinder integration for CREATE POLICY

Add expression visitor calls to traverse USING and WITH CHECK clauses,
enabling discovery of all table references in subqueries.

This completes the TablesNamesFinder visitor implementation for CREATE POLICY
statements by following the same pattern used in Update, Delete, and PlainSelect
statements.

Includes comprehensive test coverage (12 tests) covering simple subqueries,
nested subqueries, CTEs, JOINs, and edge cases.

---------

Co-authored-by: raz aranyi <[email protected]>

Author: eyalge-gong

README.md

@@ -90,6 +90,7 @@ JSQLParserBenchmark.parseSQLStatements        5.1  avgt   15  86.592 ± 5.781  m
 | RDBMS                                                                                                           | Statements                                                                                                                              |
 |-----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
 | BigQuery<br>Snowflake<br>DuckDB<br>Redshift<br>Oracle<br>MS SQL Server and Sybase<br>Postgres<br>MySQL and MariaDB<br>DB2<br>H2 and HSQLDB and Derby<br>SQLite | `SELECT`<br>`INSERT`, `UPDATE`, `UPSERT`, `MERGE`<br>`DELETE`, `TRUNCATE TABLE`<br>`CREATE ...`, `ALTER ....`, `DROP ...`<br>`WITH ...` |
+| PostgreSQL Row Level Security                                                                                   | `CREATE POLICY`<br>`ALTER TABLE ... ENABLE/DISABLE/FORCE/NO FORCE ROW LEVEL SECURITY`                                                  |
 | Salesforce SOQL                                                                                                 | `INCLUDES`, `EXCLUDES`                                                                                                                  |
 | Piped SQL (also known as FROM SQL)                                                                              |                                                                                                                                         |
 

src/main/java/net/sf/jsqlparser/statement/StatementVisitor.java

@@ -17,6 +17,7 @@
 import net.sf.jsqlparser.statement.analyze.Analyze;
 import net.sf.jsqlparser.statement.comment.Comment;
 import net.sf.jsqlparser.statement.create.index.CreateIndex;
+import net.sf.jsqlparser.statement.create.policy.CreatePolicy;
 import net.sf.jsqlparser.statement.create.schema.CreateSchema;
 import net.sf.jsqlparser.statement.create.sequence.CreateSequence;
 import net.sf.jsqlparser.statement.create.synonym.CreateSynonym;
@@ -351,4 +352,10 @@ default void visit(LockStatement lock) {
         this.visit(lock, null);
     }
 
+    <S> T visit(CreatePolicy createPolicy, S context);
+
+    default void visit(CreatePolicy createPolicy) {
+        this.visit(createPolicy, null);
+    }
+
 }

src/main/java/net/sf/jsqlparser/statement/StatementVisitorAdapter.java

@@ -21,6 +21,7 @@
 import net.sf.jsqlparser.statement.analyze.Analyze;
 import net.sf.jsqlparser.statement.comment.Comment;
 import net.sf.jsqlparser.statement.create.index.CreateIndex;
+import net.sf.jsqlparser.statement.create.policy.CreatePolicy;
 import net.sf.jsqlparser.statement.create.schema.CreateSchema;
 import net.sf.jsqlparser.statement.create.sequence.CreateSequence;
 import net.sf.jsqlparser.statement.create.synonym.CreateSynonym;
@@ -296,6 +297,12 @@ public <S> T visit(LockStatement lock, S context) {
         return null;
     }
 
+    @Override
+    public <S> T visit(CreatePolicy createPolicy, S context) {
+
+        return null;
+    }
+
     @Override
     public <S> T visit(SetStatement set, S context) {
 

src/main/java/net/sf/jsqlparser/statement/alter/AlterExpression.java

@@ -856,6 +856,14 @@ public String toString() {
         } else {
             if (operation == AlterOperation.COMMENT_WITH_EQUAL_SIGN) {
                 b.append("COMMENT =").append(" ");
+            } else if (operation == AlterOperation.ENABLE_ROW_LEVEL_SECURITY) {
+                b.append("ENABLE ROW LEVEL SECURITY").append(" ");
+            } else if (operation == AlterOperation.DISABLE_ROW_LEVEL_SECURITY) {
+                b.append("DISABLE ROW LEVEL SECURITY").append(" ");
+            } else if (operation == AlterOperation.FORCE_ROW_LEVEL_SECURITY) {
+                b.append("FORCE ROW LEVEL SECURITY").append(" ");
+            } else if (operation == AlterOperation.NO_FORCE_ROW_LEVEL_SECURITY) {
+                b.append("NO FORCE ROW LEVEL SECURITY").append(" ");
             } else {
                 b.append(operation).append(" ");
             }

src/main/java/net/sf/jsqlparser/statement/alter/AlterOperation.java

@@ -10,7 +10,7 @@
 package net.sf.jsqlparser.statement.alter;
 
 public enum AlterOperation {
-    ADD, ALTER, DROP, DROP_PRIMARY_KEY, DROP_UNIQUE, DROP_FOREIGN_KEY, MODIFY, CHANGE, CONVERT, COLLATE, ALGORITHM, RENAME, RENAME_TABLE, RENAME_INDEX, RENAME_KEY, RENAME_CONSTRAINT, COMMENT, COMMENT_WITH_EQUAL_SIGN, UNSPECIFIC, ADD_PARTITION, DROP_PARTITION, DISCARD_PARTITION, IMPORT_PARTITION, TRUNCATE_PARTITION, COALESCE_PARTITION, REORGANIZE_PARTITION, EXCHANGE_PARTITION, ANALYZE_PARTITION, CHECK_PARTITION, OPTIMIZE_PARTITION, REBUILD_PARTITION, REPAIR_PARTITION, REMOVE_PARTITIONING, PARTITION_BY, SET_TABLE_OPTION, ENGINE, FORCE, KEY_BLOCK_SIZE, LOCK, DISCARD_TABLESPACE, IMPORT_TABLESPACE, DISABLE_KEYS, ENABLE_KEYS;
+    ADD, ALTER, DROP, DROP_PRIMARY_KEY, DROP_UNIQUE, DROP_FOREIGN_KEY, MODIFY, CHANGE, CONVERT, COLLATE, ALGORITHM, RENAME, RENAME_TABLE, RENAME_INDEX, RENAME_KEY, RENAME_CONSTRAINT, COMMENT, COMMENT_WITH_EQUAL_SIGN, UNSPECIFIC, ADD_PARTITION, DROP_PARTITION, DISCARD_PARTITION, IMPORT_PARTITION, TRUNCATE_PARTITION, COALESCE_PARTITION, REORGANIZE_PARTITION, EXCHANGE_PARTITION, ANALYZE_PARTITION, CHECK_PARTITION, OPTIMIZE_PARTITION, REBUILD_PARTITION, REPAIR_PARTITION, REMOVE_PARTITIONING, PARTITION_BY, SET_TABLE_OPTION, ENGINE, FORCE, KEY_BLOCK_SIZE, LOCK, DISCARD_TABLESPACE, IMPORT_TABLESPACE, DISABLE_KEYS, ENABLE_KEYS, ENABLE_ROW_LEVEL_SECURITY, DISABLE_ROW_LEVEL_SECURITY, FORCE_ROW_LEVEL_SECURITY, NO_FORCE_ROW_LEVEL_SECURITY;
 
     public static AlterOperation from(String operation) {
         return Enum.valueOf(AlterOperation.class, operation.toUpperCase());

src/main/java/net/sf/jsqlparser/statement/create/policy/CreatePolicy.java

@@ -0,0 +1,131 @@
+/*-
+ * #%L
+ * JSQLParser library
+ * %%
+ * Copyright (C) 2004 - 2025 JSQLParser
+ * %%
+ * Dual licensed under GNU LGPL 2.1 or Apache License 2.0
+ * #L%
+ */
+package net.sf.jsqlparser.statement.create.policy;
+
+import net.sf.jsqlparser.expression.Expression;
+import net.sf.jsqlparser.schema.Table;
+import net.sf.jsqlparser.statement.Statement;
+import net.sf.jsqlparser.statement.StatementVisitor;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * PostgreSQL CREATE POLICY statement for Row Level Security (RLS).
+ *
+ * Syntax: CREATE POLICY name ON table_name [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ] [ TO
+ * { role_name | PUBLIC | CURRENT_USER | SESSION_USER } [, ...] ] [ USING ( using_expression ) ] [
+ * WITH CHECK ( check_expression ) ]
+ */
+public class CreatePolicy implements Statement {
+
+    private String policyName;
+    private Table table;
+    private String command; // ALL, SELECT, INSERT, UPDATE, DELETE
+    private List<String> roles = new ArrayList<>();
+    private Expression usingExpression;
+    private Expression withCheckExpression;
+
+    public String getPolicyName() {
+        return policyName;
+    }
+
+    public CreatePolicy setPolicyName(String policyName) {
+        this.policyName = policyName;
+        return this;
+    }
+
+    public Table getTable() {
+        return table;
+    }
+
+    public CreatePolicy setTable(Table table) {
+        this.table = table;
+        return this;
+    }
+
+    public String getCommand() {
+        return command;
+    }
+
+    public CreatePolicy setCommand(String command) {
+        this.command = command;
+        return this;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+
+    public CreatePolicy setRoles(List<String> roles) {
+        this.roles = roles;
+        return this;
+    }
+
+    public CreatePolicy addRole(String role) {
+        this.roles.add(role);
+        return this;
+    }
+
+    public Expression getUsingExpression() {
+        return usingExpression;
+    }
+
+    public CreatePolicy setUsingExpression(Expression usingExpression) {
+        this.usingExpression = usingExpression;
+        return this;
+    }
+
+    public Expression getWithCheckExpression() {
+        return withCheckExpression;
+    }
+
+    public CreatePolicy setWithCheckExpression(Expression withCheckExpression) {
+        this.withCheckExpression = withCheckExpression;
+        return this;
+    }
+
+    @Override
+    public <T, S> T accept(StatementVisitor<T> statementVisitor, S context) {
+        return statementVisitor.visit(this, context);
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder("CREATE POLICY ");
+        builder.append(policyName);
+        builder.append(" ON ");
+        builder.append(table.toString());
+
+        if (command != null) {
+            builder.append(" FOR ").append(command);
+        }
+
+        if (roles != null && !roles.isEmpty()) {
+            builder.append(" TO ");
+            for (int i = 0; i < roles.size(); i++) {
+                if (i > 0) {
+                    builder.append(", ");
+                }
+                builder.append(roles.get(i));
+            }
+        }
+
+        if (usingExpression != null) {
+            builder.append(" USING (").append(usingExpression.toString()).append(")");
+        }
+
+        if (withCheckExpression != null) {
+            builder.append(" WITH CHECK (").append(withCheckExpression.toString()).append(")");
+        }
+
+        return builder.toString();
+    }
+}

src/main/java/net/sf/jsqlparser/util/TablesNamesFinder.java

@@ -90,6 +90,7 @@
 import net.sf.jsqlparser.statement.analyze.Analyze;
 import net.sf.jsqlparser.statement.comment.Comment;
 import net.sf.jsqlparser.statement.create.index.CreateIndex;
+import net.sf.jsqlparser.statement.create.policy.CreatePolicy;
 import net.sf.jsqlparser.statement.create.schema.CreateSchema;
 import net.sf.jsqlparser.statement.create.sequence.CreateSequence;
 import net.sf.jsqlparser.statement.create.synonym.CreateSynonym;
@@ -1845,4 +1846,28 @@ public <S> Void visit(LockStatement lock, S context) {
     public void visit(LockStatement lock) {
         StatementVisitor.super.visit(lock);
     }
+
+    @Override
+    public <S> Void visit(CreatePolicy createPolicy, S context) {
+        if (createPolicy.getTable() != null) {
+            visit(createPolicy.getTable(), context);
+        }
+
+        // Visit USING expression to find tables in subqueries
+        if (createPolicy.getUsingExpression() != null) {
+            createPolicy.getUsingExpression().accept(this, context);
+        }
+
+        // Visit WITH CHECK expression to find tables in subqueries
+        if (createPolicy.getWithCheckExpression() != null) {
+            createPolicy.getWithCheckExpression().accept(this, context);
+        }
+
+        return null;
+    }
+
+    @Override
+    public void visit(CreatePolicy createPolicy) {
+        StatementVisitor.super.visit(createPolicy);
+    }
 }

src/main/java/net/sf/jsqlparser/util/deparser/StatementDeParser.java

@@ -42,6 +42,7 @@
 import net.sf.jsqlparser.statement.analyze.Analyze;
 import net.sf.jsqlparser.statement.comment.Comment;
 import net.sf.jsqlparser.statement.create.index.CreateIndex;
+import net.sf.jsqlparser.statement.create.policy.CreatePolicy;
 import net.sf.jsqlparser.statement.create.schema.CreateSchema;
 import net.sf.jsqlparser.statement.create.sequence.CreateSequence;
 import net.sf.jsqlparser.statement.create.synonym.CreateSynonym;
@@ -520,4 +521,10 @@ public <S> StringBuilder visit(LockStatement lock, S context) {
         builder.append(lock.toString());
         return builder;
     }
+
+    @Override
+    public <S> StringBuilder visit(CreatePolicy createPolicy, S context) {
+        builder.append(createPolicy.toString());
+        return builder;
+    }
 }

src/main/java/net/sf/jsqlparser/util/validation/validator/StatementValidator.java

@@ -39,6 +39,7 @@
 import net.sf.jsqlparser.statement.comment.Comment;
 import net.sf.jsqlparser.statement.create.function.CreateFunction;
 import net.sf.jsqlparser.statement.create.index.CreateIndex;
+import net.sf.jsqlparser.statement.create.policy.CreatePolicy;
 import net.sf.jsqlparser.statement.create.procedure.CreateProcedure;
 import net.sf.jsqlparser.statement.create.schema.CreateSchema;
 import net.sf.jsqlparser.statement.create.sequence.CreateSequence;
@@ -589,4 +590,14 @@ public void visit(Import imprt) {
     public void visit(Export export) {
         visit(export, null);
     }
+
+    @Override
+    public <S> Void visit(CreatePolicy createPolicy, S context) {
+        // TODO: not yet implemented
+        return null;
+    }
+
+    public void visit(CreatePolicy createPolicy) {
+        visit(createPolicy, null);
+    }
 }