BUG #15708: RLS 'using' running as wrong user when called from a view

The Post Office <noreply@postgresql.org>

From: PG Bug reporting form <noreply@postgresql.org>
To: pgsql-bugs@lists.postgresql.org
Cc: quae@daurnimator.com
Date: 2019-03-20T23:53:56Z
Lists: pgsql-bugs, pgsql-hackers
The following bug has been logged on the website:

Bug reference:      15708
Logged by:          Daurnimator
Email address:      quae@daurnimator.com
PostgreSQL version: 11.2
Operating system:   linux
Description:        

(from https://gist.github.com/daurnimator/b1d2c16359e346a466b3093ae2757acf
)

This fails, seemingly because the RLS on 'bar' is being checked by alice,
instead of the view owner bob:
```sql
create role alice;

create table bar(a integer);
alter table bar enable row level security;
create table qux(b integer);

create role bob;
create policy blahblah on bar to bob
	using(exists(select 1 from qux));
grant select on table bar to bob;
grant select on table qux to bob;

create view foo as select * from bar;
alter view foo owner to bob;
grant select on table foo to alice;
-- grant select on table qux to alice; -- shouldn't be required

set role alice;
select * from foo;
```

```
$ psql -f rls_trouble.sql 
CREATE ROLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
CREATE ROLE
CREATE POLICY
GRANT
GRANT
CREATE VIEW
ALTER VIEW
GRANT
SET
psql:rls_trouble.sql:18: ERROR: permission denied for table qux
```

If we add an indirection via another view, then I get the result I
expected...
```sql
create role alice;

create table bar(a integer);
alter table bar enable row level security;
create table qux(b integer);

-- if we add a layer of indirection it works.... wat?
create view indirection as select * from bar;

create role bob;
create policy blahblah on bar to bob
	using(exists(select 1 from qux));
grant select on table bar to bob;
grant select on table indirection to bob;
grant select on table qux to bob;

create view foo as select * from indirection;
alter view foo owner to bob;
grant select on table foo to alice;

set role alice;
select * from foo;
```

Commits

  1. Perform RLS subquery checks as the right user when going via a view.