Merge #143391

craig[bot] · Dedej-Bergin · craig[bot] · commit 8e44ad44f8ce · 2025-03-26T13:58:12.000Z
143391: sql/delegate: rename policy_statements to rls_statements r=Dedej-Bergin a=Dedej-Bergin This commit renames the `policy_statements` column to `rls_statements` in the `crdb_internal.create_statements` table to be more consistent with the naming convention used elsewhere in the codebase. We no longer store the row level security statements in the `create_statement` column. This change also moves rls alter statements into the `rls_statements` column. Fixes: #141932 Epic: CRDB-11724 Release note: None Co-authored-by: Bergin Dedej <bergin.dedej@cockroachlabs.com>
diff --git a/pkg/ccl/logictestccl/testdata/logic_test/crdb_internal_tenant b/pkg/ccl/logictestccl/testdata/logic_test/crdb_internal_tenant
@@ -190,7 +190,7 @@ function  signature  category  details  schema  oid
 query ITTITTTTTTTTTBBBB colnames
 SELECT * FROM crdb_internal.create_statements WHERE database_name = ''
 ----
-database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name  create_statement  state  create_nofks  policy_statements  alter_statements  validate_statements  create_redactable  has_partitions  is_multi_region  is_virtual  is_temporary
+database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name  create_statement  state  create_nofks  rls_statements  alter_statements  validate_statements  create_redactable  has_partitions  is_multi_region  is_virtual  is_temporary
 
 query ITITTBTB colnames
 SELECT * FROM crdb_internal.table_columns WHERE descriptor_name = ''
diff --git a/pkg/ccl/logictestccl/testdata/logic_test/partitioning b/pkg/ccl/logictestccl/testdata/logic_test/partitioning
@@ -411,6 +411,46 @@ ok1  CREATE TABLE public.ok1 (
      )
      -- Warning: Partitioned table with no zone configurations.
 
+subtest partition_with_rls
+
+statement ok
+set enable_row_level_security=on;
+
+statement ok
+ALTER TABLE ok1 ENABLE ROW LEVEL SECURITY;
+
+statement ok
+CREATE POLICY test_policy ON ok1 FOR SELECT USING (true);
+
+query TT
+SHOW CREATE TABLE ok1
+----
+ok1  CREATE TABLE public.ok1 (
+       a INT8 NOT NULL,
+       b INT8 NOT NULL,
+       c INT8 NULL,
+       CONSTRAINT ok1_pkey PRIMARY KEY (a ASC, b ASC)
+     ) PARTITION BY LIST (a) (
+       PARTITION p1 VALUES IN ((1)),
+       PARTITION p2 VALUES IN ((2))
+     )
+     -- Warning: Partitioned table with no zone configurations.
+     ;
+     ALTER TABLE public.ok1 ENABLE ROW LEVEL SECURITY;
+     CREATE POLICY test_policy ON public.ok1 AS PERMISSIVE FOR SELECT TO public USING (true)
+
+# Clean up by dropping the policy and table after testing
+statement ok
+DROP POLICY test_policy ON ok1;
+
+statement ok
+ALTER TABLE ok1 DISABLE ROW LEVEL SECURITY;
+
+statement ok
+set enable_row_level_security=off;
+
+subtest end
+
 query T
 SELECT feature_name FROM crdb_internal.feature_usage WHERE feature_name='sql.show.create' AND usage_count > 0
 ----
diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
@@ -3959,7 +3959,7 @@ CREATE TABLE crdb_internal.create_statements (
   create_statement              STRING NOT NULL,
   state                         STRING NOT NULL,
   create_nofks                  STRING NOT NULL,
-  policy_statements             STRING[] NOT NULL,
+  rls_statements                STRING[] NOT NULL,
   alter_statements              STRING[] NOT NULL,
   validate_statements           STRING[] NOT NULL,
   create_redactable             STRING NOT NULL,
@@ -3984,7 +3984,7 @@ CREATE TABLE crdb_internal.create_statements (
 		var descType tree.Datum
 		var stmt, createNofk, createRedactable string
 		alterStmts := tree.NewDArray(types.String)
-		policyStmts := tree.NewDArray(types.String)
+		rlsStmts := tree.NewDArray(types.String)
 		validateStmts := tree.NewDArray(types.String)
 		namePrefix := tree.ObjectNamePrefix{SchemaName: tree.Name(sc.GetName()), ExplicitSchema: true}
 		name := tree.MakeTableNameFromPrefix(namePrefix, tree.Name(table.GetName()))
@@ -4007,8 +4007,7 @@ CREATE TABLE crdb_internal.create_statements (
 		} else {
 			descType = typeTable
 			displayOptions := ShowCreateDisplayOptions{
-				FKDisplayMode:       OmitFKClausesFromCreate,
-				IgnoreRLSStatements: true,
+				FKDisplayMode: OmitFKClausesFromCreate,
 			}
 			createNofk, err = ShowCreateTable(ctx, p, &name, contextName, table, lookup, displayOptions)
 			if err != nil {
@@ -4019,12 +4018,12 @@ CREATE TABLE crdb_internal.create_statements (
 				return err
 			}
 
-			if err = showPolicyStatements(ctx, &name, table, p.EvalContext(), &p.semaCtx, p.SessionData(), policyStmts); err != nil {
+			if err = showRowLevelSecurityStatements(ctx, &name, table, p.EvalContext(), &p.semaCtx, p.SessionData(), rlsStmts); err != nil {
 				return err
 			}
 
 			displayOptions.FKDisplayMode = IncludeFkClausesInCreate
-			displayOptions.IgnoreRLSStatements = false
+
 			stmt, err = ShowCreateTable(ctx, p, &name, contextName, table, lookup, displayOptions)
 			if err != nil {
 				return err
@@ -4056,7 +4055,7 @@ CREATE TABLE crdb_internal.create_statements (
 			tree.NewDString(stmt),
 			tree.NewDString(table.GetState().String()),
 			tree.NewDString(createNofk),
-			policyStmts,
+			rlsStmts,
 			alterStmts,
 			validateStmts,
 			tree.NewDString(createRedactable),
@@ -4068,21 +4067,31 @@ CREATE TABLE crdb_internal.create_statements (
 	},
 	nil)
 
-// showPolicyStatements adds the RLS policy statements to the policy_statements column.
-func showPolicyStatements(
+// showRowLevelSecurityStatements adds the RLS policy statements to the rls_statements column.
+func showRowLevelSecurityStatements(
 	ctx context.Context,
 	tn *tree.TableName,
 	table catalog.TableDescriptor,
 	evalCtx *eval.Context,
 	semaCtx *tree.SemaContext,
 	sessionData *sessiondata.SessionData,
-	policyStmts *tree.DArray,
+	rlsStmts *tree.DArray,
 ) error {
+	// Add the row level security ALTER statements to the rls_statements column.
+	if alterRLSStatements, err := showRLSAlterStatement(tn, table, false); err != nil {
+		return err
+	} else if len(alterRLSStatements) != 0 {
+		if err = rlsStmts.Append(tree.NewDString(alterRLSStatements)); err != nil {
+			return err
+		}
+	}
+
+	// Add the row level security policy statements to the rls_statements column.
 	for _, policy := range table.GetPolicies() {
 		if policyStatement, err := showPolicyStatement(ctx, tn, table, evalCtx, semaCtx, sessionData, policy, false); err != nil {
 			return err
 		} else if len(policyStatement) != 0 {
-			if err := policyStmts.Append(tree.NewDString(policyStatement)); err != nil {
+			if err := rlsStmts.Append(tree.NewDString(policyStatement)); err != nil {
 				return err
 			}
 		}
@@ -4135,15 +4144,6 @@ func showAlterStatement(
 		}
 	}
 
-	// Add the row level security ALTER statements to the alter_statements column.
-	if alterRLSStatements, err := showRLSAlterStatement(tn, table, false); err != nil {
-		return err
-	} else if len(alterRLSStatements) != 0 {
-		if err = alterStmts.Append(tree.NewDString(alterRLSStatements)); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 
diff --git a/pkg/sql/delegate/show_table.go b/pkg/sql/delegate/show_table.go
@@ -92,6 +92,11 @@ SELECT
           THEN NULL
 				ELSE
 					e'\n-- Warning: Partitioned table with no zone configurations.\n'
+        END,
+        CASE
+            WHEN array_length(rls_statements, 1) > 0 THEN
+                concat(e';\n', array_to_string(rls_statements, e';\n'))
+            ELSE NULL
         END
     ) AS create_statement
 FROM
@@ -253,7 +258,7 @@ func (d *delegator) delegateShowConstraints(n *tree.ShowConstraints) (tree.State
 	obj_description(c.oid) AS comment`
 	}
 	getConstraintsQuery += `
-FROM
+	FROM
        %[4]s.pg_catalog.pg_class t,
        %[4]s.pg_catalog.pg_namespace n,
        %[4]s.pg_catalog.pg_constraint c
diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal b/pkg/sql/logictest/testdata/logic_test/crdb_internal
@@ -377,7 +377,7 @@ function  signature  category  details  schema  oid
 query ITTITTTTTTTTTBBBB colnames
 SELECT * FROM crdb_internal.create_statements WHERE database_name = ''
 ----
-database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name  create_statement  state  create_nofks  policy_statements  alter_statements  validate_statements  create_redactable  has_partitions  is_multi_region  is_virtual  is_temporary
+database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name  create_statement  state  create_nofks  rls_statements  alter_statements  validate_statements  create_redactable  has_partitions  is_multi_region  is_virtual  is_temporary
 
 query ITITTBTB colnames
 SELECT * FROM crdb_internal.table_columns WHERE descriptor_name = ''
diff --git a/pkg/sql/logictest/testdata/logic_test/row_level_security b/pkg/sql/logictest/testdata/logic_test/row_level_security
@@ -644,11 +644,10 @@ CREATE TABLE public.flying_roaches (
   rowid INT8 NOT VISIBLE NOT NULL DEFAULT unique_rowid(),
   CONSTRAINT flying_roaches_pkey PRIMARY KEY (rowid ASC),
   CONSTRAINT "check" CHECK ('flying':::public.roach_type = 'crawling':::public.roach_type)
-);
-CREATE POLICY p1 ON public.flying_roaches AS PERMISSIVE FOR ALL TO public USING ('flying':::public.roach_type = 'crawling':::public.roach_type)
+)
 
 query T
-select policy_statements from crdb_internal.create_statements where descriptor_name='flying_roaches'
+select rls_statements from crdb_internal.create_statements where descriptor_name='flying_roaches'
 ----
 {"CREATE POLICY p1 ON public.flying_roaches AS PERMISSIVE FOR ALL TO public USING ('flying':::public.roach_type = 'crawling':::public.roach_type)"}
 
@@ -767,21 +766,15 @@ select create_statement from crdb_internal.create_statements where descriptor_na
 CREATE TABLE public.roaches (
   rowid INT8 NOT VISIBLE NOT NULL DEFAULT unique_rowid(),
   CONSTRAINT roaches_pkey PRIMARY KEY (rowid ASC)
-);
-ALTER TABLE public.roaches ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY
-
-query TT
-select policy_statements, create_nofks from crdb_internal.create_statements where descriptor_name='roaches'
-----
-{}  CREATE TABLE public.roaches (
-      rowid INT8 NOT VISIBLE NOT NULL DEFAULT unique_rowid(),
-      CONSTRAINT roaches_pkey PRIMARY KEY (rowid ASC)
-    )
+)
 
-query T
-select alter_statements from crdb_internal.create_statements where descriptor_name='roaches'
+query TTT
+select rls_statements, alter_statements, create_nofks from crdb_internal.create_statements where descriptor_name='roaches'
 ----
-{"ALTER TABLE public.roaches ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY"}
+{"ALTER TABLE public.roaches ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY"}  {}  CREATE TABLE public.roaches (
+                                                                                          rowid INT8 NOT VISIBLE NOT NULL DEFAULT unique_rowid(),
+                                                                                          CONSTRAINT roaches_pkey PRIMARY KEY (rowid ASC)
+                                                                                        )
 
 statement ok
 ALTER TABLE roaches DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY;
@@ -795,15 +788,7 @@ roaches  CREATE TABLE public.roaches (
          )
 
 query T
-select create_statement from crdb_internal.create_statements where descriptor_name='roaches'
-----
-CREATE TABLE public.roaches (
-  rowid INT8 NOT VISIBLE NOT NULL DEFAULT unique_rowid(),
-  CONSTRAINT roaches_pkey PRIMARY KEY (rowid ASC)
-)
-
-query T
-select policy_statements from crdb_internal.create_statements where descriptor_name='roaches'
+select rls_statements from crdb_internal.create_statements where descriptor_name='roaches'
 ----
 {}
 
diff --git a/pkg/sql/logictest/testdata/logic_test/sequences b/pkg/sql/logictest/testdata/logic_test/sequences
@@ -136,8 +136,8 @@ CREATE SEQUENCE show_create_test
 query ITTITTTTTTTTTBBBB colnames
 SELECT * FROM crdb_internal.create_statements WHERE descriptor_name = 'show_create_test'
 ----
-database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name   create_statement                                                                                     state   create_nofks                                                                                         policy_statements  alter_statements  validate_statements  create_redactable                                                                                    has_partitions  is_multi_region  is_virtual  is_temporary
-104          test           public       111            sequence         show_create_test  CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  PUBLIC  CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  {}                 {}                {}                   CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  false           false            false       false
+database_id  database_name  schema_name  descriptor_id  descriptor_type  descriptor_name   create_statement                                                                                     state   create_nofks                                                                                         rls_statements  alter_statements  validate_statements  create_redactable                                                                                    has_partitions  is_multi_region  is_virtual  is_temporary
+104          test           public       111            sequence         show_create_test  CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  PUBLIC  CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  {}              {}                {}                   CREATE SEQUENCE public.show_create_test MINVALUE 1 MAXVALUE 9223372036854775807 INCREMENT 1 START 1  false           false            false       false
 
 query TT colnames
 SHOW CREATE SEQUENCE show_create_test
diff --git a/pkg/sql/show_create.go b/pkg/sql/show_create.go
@@ -57,9 +57,6 @@ type ShowCreateDisplayOptions struct {
 	// RedactableValues causes all constants, literals, and other user-provided
 	// values to be surrounded with redaction markers.
 	RedactableValues bool
-	// IgnoreRLSStatements causes all row level security related statements to
-	// not show up in the SHOW CREATE TABLE output.
-	IgnoreRLSStatements bool
 }
 
 // ShowCreateTable returns a valid SQL representation of the CREATE
@@ -201,24 +198,6 @@ func ShowCreateTable(
 		return "", err
 	}
 
-	if !displayOptions.IgnoreRLSStatements {
-		if alterRLSStatements, err := showRLSAlterStatement(tn, desc, true); err != nil {
-			return "", err
-		} else {
-			buf := &f.Buffer
-			buf.WriteString(alterRLSStatements)
-		}
-
-		for _, policyDesc := range desc.GetPolicies() {
-			if policyStatements, err := showPolicyStatement(ctx, tn, desc, p.EvalContext(), &p.semaCtx, p.SessionData(), policyDesc, true); err != nil {
-				return "", err
-			} else {
-				buf := &f.Buffer
-				buf.WriteString(policyStatements)
-			}
-		}
-	}
-
 	if !displayOptions.IgnoreComments {
 		if err := showComments(tn, desc, selectComment(ctx, p, desc.GetID()), &f.Buffer); err != nil {
 			return "", err
