Inconsistent Behavior With PostgreSQL Triggers And Row Level Security Based On Number Of Inserts

September 30, 2025 by StackCamp Team 97 views

Bug #18782: Inconsistent Behavior with Triggers and Row Level Security - Depends on Prior Number of Inserts

Hey guys! Today, we're diving deep into a fascinating and somewhat perplexing bug reported in PostgreSQL. This bug, identified as #18782, highlights an inconsistency in how triggers interact with row-level security (RLS), and it's all tied to the number of inserts previously made into a table. Let's break it down in a way that's super easy to understand and maybe even a little fun, alright?

Understanding the Core Issue

The main issue reported revolves around the fact that a trigger, which is designed to call RLS and potentially throw an exception, doesn't always behave as expected. The expectation is straightforward: if the RLS policy dictates an exception should be thrown, then an exception should always be thrown. However, the observed behavior is a bit trickier. Initially, right after a table is created, the trigger correctly throws an exception when the RLS policy is violated. But, after a certain number of inserts (specifically, six or more in the reported cases), the trigger mysteriously stops throwing exceptions, even when the RLS policy should be triggered. This inconsistency is what we're here to unpack.

The problem arises when triggers interact with row-level security policies in PostgreSQL. RLS is a powerful feature that allows you to control which rows in a table a user can access or modify based on certain conditions. Think of it as a gatekeeper for your data. Triggers, on the other hand, are special functions that automatically execute in response to certain events on a table, like inserts, updates, or deletes. The interaction between these two is usually seamless, but in this case, we've got a snag.

The core problem is the inconsistent behavior when an RLS policy should throw an exception within a trigger. The expectation is that the exception should always be thrown but after a few inserts, this behavior changes. This can lead to serious security vulnerabilities and data integrity issues if not addressed properly. This is not just a minor inconvenience; it's a significant issue that could potentially compromise the security of your data.Imagine building a complex application where you rely on RLS to protect sensitive information. If the RLS policies aren't consistently enforced, you could inadvertently expose data to unauthorized users. That's why understanding and resolving this bug is paramount.

Setting the Stage: Tables and Permissions

To illustrate the issue, two tables are created: no_rls_table and rls_table. The goal is to prevent duplicate values in the should_not_duplicate column across these tables.

no_rls_table: This table has no RLS applied, and the application user (app_user) has full permissions on it.
rls_table: This table has RLS enabled, which checks the team_id column (a UUID type) against a setting called team.team_id. If team.team_id is missing, the RLS is expected to throw an exception because an empty string cannot be converted to a UUID.

The Trigger's Role

A trigger is added to no_rls_table. This trigger is designed to check, before every insert, if the value being inserted already exists in rls_table. If it does, the trigger should raise an exception, preventing the insert. The idea here is to maintain uniqueness across both tables.

The Initial Expectations

As expected, inserting into no_rls_table works correctly when team.team_id is set using SET LOCAL team.team_id = '6a43cea8-4a5c-4989-bae2-ef5a77d92620'. This confirms the basic setup is functioning.
Again, as anticipated, inserting into no_rls_table fails with an exception if team.team_id is not set. This is because the RLS policy on rls_table should throw an exception when it tries to convert an empty string to a UUID.

The Plot Twist: Inconsistent Behavior

Here's where things get interesting. After performing a series of inserts (six or more) into no_rls_table, the behavior changes.

If you then attempt to insert into no_rls_table without setting team.team_id, you'd expect the same exception as before. But, surprisingly, the insert completes without any exceptions being thrown. This is the core of the bug and the unexpected behavior we're investigating.

This inconsistency suggests that the RLS policy isn't consistently being enforced within the trigger context. It's as if the RLS check is bypassed or cached somehow after a certain number of operations, which is definitely not the intended behavior.

Why This Matters

The inconsistency in RLS enforcement can lead to serious security and data integrity issues. Imagine scenarios where you rely on RLS to ensure that users can only access data relevant to their team or role. If RLS is not consistently applied, sensitive data could be exposed, leading to potential breaches and compliance violations.

Moreover, the unexpected behavior can make debugging and troubleshooting extremely difficult. If you're relying on exceptions to catch and handle errors, the fact that they disappear after a few inserts can mask underlying issues and lead to data corruption or application failures.

Diving Deeper into the Code

To truly understand this bug, let's dissect the code provided in the bug report. This will give us a clear picture of how the tables, policies, and triggers are set up, and where the potential issues might lie.

Setting Up the User and Tables

The code starts by creating a less privileged user, app_user, which simulates a typical application user. This is a good practice for security, as it limits the user's privileges to only what is necessary.

-- Create less privileged user
CREATE USER app_user;

Next, two tables are created:

no_rls_table: This table has no row-level security and includes an id (primary key) and a should_not_duplicate column.
rls_table: This table includes row-level security, with columns for id, team_id, and should_not_duplicate. The team_id is a UUID, which is crucial for the RLS policy.

-- Create table which has no Row level security and give necessary
-- permissions to app user
CREATE TABLE no_rls_table
(
 id BIGSERIAL PRIMARY KEY,
 should_not_duplicate uuid
);
GRANT SELECT, INSERT, DELETE ON TABLE no_rls_table to app_user;
GRANT USAGE, SELECT ON SEQUENCE no_rls_table_id_seq to app_user;

-- Create table which has row level security based on local settings
(team.team_id)
CREATE TABLE rls_table
(
 id BIGSERIAL PRIMARY KEY,
 team_id uuid,
 should_not_duplicate uuid
);
GRANT SELECT, INSERT, DELETE ON TABLE rls_table to app_user;
GRANT USAGE, SELECT ON SEQUENCE rls_table_id_seq to app_user;

The GRANT statements ensure that app_user has the necessary permissions to interact with these tables.

Implementing Row Level Security

Now, let's look at the RLS policy created for rls_table:

CREATE POLICY rls_table_policy
ON rls_table
TO app_user
USING (
 team_id = current_setting('team.team_id') :: uuid
)
WITH CHECK (
 team_id = current_setting('team.team_id') :: uuid
);

ALTER TABLE rls_table ENABLE ROW LEVEL SECURITY;

This policy, rls_table_policy, is applied to rls_table and grants access to app_user only if the team_id matches the current_setting('team.team_id') converted to a UUID. The USING and WITH CHECK clauses ensure that both read and write operations adhere to this policy. If team.team_id is not set, current_setting returns an empty string, and the attempt to cast it to a UUID should raise an exception.

The Trigger Function

The heart of the issue lies in the trigger function, ensure_not_duplicated_on_rls_table():

CREATE OR REPLACE FUNCTION ensure_not_duplicated_on_rls_table() RETURNS
TRIGGER AS
$
BEGIN
 IF EXISTS (
 SELECT 1
 FROM rls_table
 WHERE rls_table.should_not_duplicate =
 NEW.should_not_duplicate
 )
 THEN
 RAISE EXCEPTION 'This value should not be duplicated between the
 two tables';
 END IF;

 RETURN NEW;
END;
$ LANGUAGE plpgsql;

CREATE TRIGGER check_not_duplicated_on_rls_table
BEFORE INSERT OR UPDATE ON no_rls_table
FOR EACH ROW
EXECUTE PROCEDURE ensure_not_duplicated_on_rls_table();

This function is triggered before each insert or update on no_rls_table. It checks if the should_not_duplicate value already exists in rls_table. If it does, an exception is raised. This trigger aims to prevent duplication across the two tables.

Demonstrating the Bug

The code then demonstrates the inconsistent behavior through a series of steps:

Successful Insert: An insert into no_rls_table is performed with team.team_id set correctly. This works as expected.

BEGIN;
SET ROLE app_user;
SET LOCAL team.team_id = '6a43cea8-4a5c-4989-bae2-ef5a77d92620';
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
COMMIT;

Expected Failure: An attempt to insert into no_rls_table without setting team.team_id results in an exception, as the RLS policy should prevent the operation due to the UUID conversion failure. This also works as expected initially.
```
BEGIN;
SET ROLE app_user;
-- This command will fail with an exception `[22P02] ERROR: invalid input
-- syntax for type uuid: ""`
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
COMMIT;
```

Multiple Inserts: Several inserts are performed into no_rls_table with team.team_id set correctly. These inserts are intended to trigger the bug.

BEGIN;
SET ROLE app_user;
SET LOCAL team.team_id = '6a43cea8-4a5c-4989-bae2-ef5a77d92620';
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
COMMIT;

Unexpected Success: Finally, an attempt to insert into no_rls_table without setting team.team_id succeeds, which is the unexpected and buggy behavior. The RLS policy should have prevented this, but it doesn't.
```
BEGIN;
SET ROLE app_user;
INSERT INTO no_rls_table (should_not_duplicate) VALUES (
gen_random_uuid());
COMMIT;
```

Cleaning Up

The code concludes with cleanup operations, dropping the tables and resetting the role.

-- Cleanup Phase
RESET ROLE;
DROP TABLE rls_table;
DROP TABLE no_rls_table;

Possible Causes and What's Next

So, what could be causing this bizarre behavior? Here are a few educated guesses:

Caching Issues: PostgreSQL might be caching the result of the current_setting('team.team_id') call or the RLS policy itself. After a few inserts, the cached value might be used instead of re-evaluating the setting, leading to the incorrect behavior.
Transaction Context: The behavior might be related to how transactions are handled. The initial inserts might be altering the transaction context in a way that affects subsequent RLS checks.
Trigger Execution Order: There could be an issue with the order in which triggers and RLS policies are executed. Under certain conditions, the trigger might be bypassing the RLS check.

This bug was reported on PostgreSQL versions 14.5, 16.6, and 17.2, indicating it's not a recent regression but a persistent issue across multiple versions. This makes it even more critical to address.

What's the Solution?

Unfortunately, there's no simple workaround for this issue. The best course of action is to avoid relying on this specific interaction between triggers and RLS until a fix is available. Here are a few strategies you might consider:

Re-evaluate your design: If possible, try to achieve the same functionality without using triggers and RLS in this way. For example, you might be able to move the uniqueness check into the application code or use a different mechanism for enforcing RLS.
Simplify the RLS policy: If the RLS policy is overly complex, try to simplify it. Complex policies are more likely to have unexpected interactions with other features.
Monitor closely: If you must use this combination of triggers and RLS, monitor your application closely for any signs of inconsistent behavior. This can help you catch issues early and prevent data corruption.

Conclusion

This bug highlights the complexities that can arise when different features of a database system interact in unexpected ways. Understanding these interactions is crucial for building robust and secure applications. We've seen how triggers and row-level security, while powerful on their own, can exhibit inconsistent behavior under specific conditions.

The key takeaway here is to be vigilant and thoroughly test your database interactions, especially when using advanced features like triggers and RLS. If you encounter unexpected behavior, don't hesitate to dig deeper and report it to the community, just like Julian Wreford did. By working together, we can make PostgreSQL even more reliable and secure. This is a reminder that even in mature systems like PostgreSQL, bugs can lurk, and it's our responsibility as developers and DBAs to uncover and address them. Stay curious, keep learning, and happy coding, everyone!