The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/15/sql-createpolicy.html Description:
RLS documentation seems to say the user's predicate is evaluated AFTER the policy is evaluated. This presents to me an issue that I can't wrap my head around, and seems to confuse others as well. Setup: 1. We have a policy-enabled table that has millions of rows, with ID as a primary key. 2. There exists a row in this table whose ID column is 10. 3. User submits a query: SELECT * FROM MYTABLE WHERE id = 10. According to the documentation, the WHERE clause is not evaluated until AFTER the policy is evaluated, thus there is initially a full table scan of MYTABLE that returns only the set of rows that the user has access to (via the policy), THEN the WHERE clause is activated that reduces the row count to 1 or 0. This sounds non-performant, and if this is or is not the case, I think it should be more clearly explained. In addition, a link to a "best practices using the policy effectively" would be useful, as from reviewing stack overflow, there is lots of concern over performance of RLS.
