feat: add PostgreSQL Row Level Security (RLS) support #2345
+822
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for PostgreSQL Row Level Security statements: - CREATE POLICY with full syntax (FOR, TO, USING, WITH CHECK clauses) - ALTER TABLE ENABLE/DISABLE/FORCE/NO FORCE ROW LEVEL SECURITY Changes: - New CreatePolicy AST class for CREATE POLICY statements - Added RLS operations to AlterOperation enum - Updated grammar with POLICY, LEVEL, SECURITY keywords - Fixed grammar conflicts with LOOKAHEAD directives - Updated all visitor interfaces and implementations - Added comprehensive unit tests (19 tests, 100% passing) - Updated README.md with new features All code quality checks passing: - CheckStyle: 0 violations - PMD: passed
Contributor
|
Greetings! First of all: Thank you much for your interest, time and effort. It is much appreciated. You will need to fix the tests please. |
Contributor
Author
Contributor
Hi @manticore-projects, |
Fixed parser failures when parsing PostgreSQL Row Level Security (RLS) statements by reordering grammar alternatives to check more specific patterns before less specific ones. Problem: - ALTER TABLE ... ENABLE/DISABLE ROW LEVEL SECURITY failed to parse - Parser was incorrectly choosing ENABLE/DISABLE KEYS path first - Grammar warning about WITH keyword conflict in CREATE POLICY Solution: 1. Reordered ENABLE alternatives: ENABLE ROW LEVEL SECURITY now checked before ENABLE KEYS (lines 9674-9684) 2. Reordered DISABLE alternatives: DISABLE ROW LEVEL SECURITY now checked before DISABLE KEYS (lines 9661-9671) 3. Added LOOKAHEAD(2) to WITH CHECK clause in CREATE POLICY to resolve conflict with CTEs (line 10470) Impact: - All 19 existing RLS tests pass (8 AlterRowLevelSecurityTest, 11 CreatePolicyTest) - WITH keyword conflict warning eliminated - Parser can now handle real-world SQL migration files with RLS statements - No regressions in existing functionality Technical Note: In JavaCC, when multiple alternatives share a common prefix (like ENABLE), the more specific pattern (longer token sequence) must appear FIRST in the grammar to be matched correctly. LOOKAHEAD values help disambiguate, but ordering is critical for correct parsing.
Added K_LEVEL, K_POLICY, and K_SECURITY tokens to RelObjectNameWithoutStart() production to allow these keywords to be used as column aliases in addition to table/column names. This resolves the conflict where RLS keywords were breaking Oracle hierarchical queries and keywords-as-identifiers tests. The fix maintains RLS functionality while allowing these keywords to work in all SQL contexts including aliases (e.g., SELECT col AS level).
After running `./gradlew updateKeywords`, the task automatically added LEVEL, POLICY, and SECURITY keywords to RelObjectNameWithoutValue() in alphabetical order (line 3275). Removed redundant manual additions from RelObjectName() and RelObjectNameWithoutStart() that were causing unreachable statement compilation errors. The keywords are now properly maintained in the canonical location (RelObjectNameWithoutValue) and will work as identifiers in all contexts. Tests: All 4154 tests passing
Add expression visitor calls to traverse USING and WITH CHECK clauses, enabling discovery of all table references in subqueries. This completes the TablesNamesFinder visitor implementation for CREATE POLICY statements by following the same pattern used in Update, Delete, and PlainSelect statements. Includes comprehensive test coverage (12 tests) covering simple subqueries, nested subqueries, CTEs, JOINs, and edge cases.
Contributor
|
Thank you for your contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for PostgreSQL Row Level Security (RLS) statements to JSQLParser.
Features Added
CREATE POLICY statement with full PostgreSQL syntax:
FORclause (ALL, SELECT, INSERT, UPDATE, DELETE)TOclause for role assignment (single or multiple roles)USINGclause for row visibilityWITH CHECKclause for row modification constraintsALTER TABLE RLS operations:
ALTER TABLE ... ENABLE ROW LEVEL SECURITYALTER TABLE ... DISABLE ROW LEVEL SECURITYALTER TABLE ... FORCE ROW LEVEL SECURITYALTER TABLE ... NO FORCE ROW LEVEL SECURITYImplementation Details
CreatePolicyAST class innet.sf.jsqlparser.statement.create.policyAlterOperationenum values for RLS operationsAlterExpression.toString()to properly deparse RLS operationsK_POLICY,K_LEVEL,K_SECURITYTesting
assertSqlCanBeParsedAndDeparsed()as requiredCode Quality
Documentation
Example Usage
This implementation follows the JSQLParser contribution guidelines and is ready for review.