Skip to content

Add ENABLE_ROW_SECURITY setting for PostgreSQL connectors to support row-level security policies #624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 22, 2025
Merged

Add ENABLE_ROW_SECURITY setting for PostgreSQL connectors to support row-level security policies #624

merged 3 commits into from
Aug 22, 2025

Conversation

Copy link
Contributor

Copilot AI commented Aug 22, 2025
edited
Loading

This PR adds support for PostgreSQL databases that have row-level security (RLS) policies enabled by introducing a new ENABLE_ROW_SECURITY setting for PostgreSQL connectors.

Problem

When attempting to backup PostgreSQL databases with row-level security policies, pg_dump fails with:

pg_dump: error: query failed: ERROR: query would be affected by row-level security policy for table_
HINT: To disable the policy for the table's owner, use ALTER TABLE NO FORCE ROW LEVEL SECURITY

This occurs because pg_dump by default respects row-level security policies, which can prevent it from dumping all data in tables that have RLS enabled.

Solution

Added a new ENABLE_ROW_SECURITY setting (default: False) that adds the --enable-row-security flag to pg_dump commands when enabled. This flag tells pg_dump to dump data even when row-level security policies are active.

Changes

  • Added enable_row_security attribute to both PgDumpConnector and PgDumpBinaryConnector classes
  • Modified _create_dump() methods to include --enable-row-security flag when the setting is enabled
  • Added comprehensive test coverage for both connector classes
  • Updated documentation with setting description and usage example
  • Added changelog entries for the new feature

Usage

DBBACKUP_CONNECTORS = {
    'default': {
        'ENABLE_ROW_SECURITY': True
    }
}

Backward Compatibility

This change is fully backward compatible. The default value is False, so existing configurations will continue to work exactly as before. Users only need to opt-in to the new behavior when they have databases with row-level security policies.

Fixes #496.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits August 22, 2025 08:25
@Archmonger
Add enable_row_security setting for PostgreSQL connectors
51f17df 
Co-authored-by: Archmonger <16909269+Archmonger@users.noreply.github.com>
@Archmonger
Add changelog entry for row security feature
1b395cf 
Co-authored-by: Archmonger <16909269+Archmonger@users.noreply.github.com>
Copilot AI changed the title [WIP] pg_dump error: Query would be affected by row-level security policy Add ENABLE_ROW_SECURITY setting for PostgreSQL connectors to support row-level security policies Aug 22, 2025
Copilot AI requested a review from Archmonger August 22, 2025 08:27
Copilot finished work on behalf of Archmonger August 22, 2025 08:28
@Archmonger Archmonger requested a review from Copilot August 22, 2025 08:29
Copilot AI reviewed Aug 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for PostgreSQL databases with row-level security (RLS) policies by introducing a new ENABLE_ROW_SECURITY setting for PostgreSQL connectors. The setting allows pg_dump to bypass RLS policies during backup operations.

Key changes:

  • Added enable_row_security attribute to PostgreSQL connector classes with default value False
  • Modified dump creation methods to include --enable-row-security flag when enabled
  • Added comprehensive test coverage for the new functionality

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
dbbackup/db/postgresql.py Added enable_row_security attribute and flag logic to both PgDumpConnector and PgDumpBinaryConnector classes
tests/test_connectors/test_postgresql.py Added test methods to verify the --enable-row-security flag is correctly included/excluded based on setting
docs/src/databases.md Updated documentation with new setting description and usage example
CHANGELOG.md Added changelog entries for the new feature and bug fix

@Archmonger Archmonger marked this pull request as ready for review August 22, 2025 08:37
@Archmonger Archmonger merged commit af665e7 into master Aug 22, 2025
57 checks passed
@Archmonger Archmonger deleted the copilot/fix-496 branch August 22, 2025 08:43
Archmonger added a commit that referenced this pull request Aug 23, 2025
@Archmonger
Revert "Add ENABLE_ROW_SECURITY setting for PostgreSQL connectors to …
cfcf3c0 
…support row-level security policies (#624)"

This reverts commit af665e7.
@Archmonger Archmonger mentioned this pull request Aug 23, 2025
Merged
4 tasks
Archmonger added a commit that referenced this pull request Aug 23, 2025
@Archmonger
Revert #624 (#628)
3ffc74e 
This reverts commit af665e7.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Archmonger Archmonger Awaiting requested review from Archmonger

Assignees

@Archmonger Archmonger

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pg_dump error: Query would be affected by row-level security policy

2 participants

@Archmonger