CODEWITHSUNDEEP
azure-data-explorerkql
sirdank
sirdank

Reputation: 3571

How to recover from a broken row-level security policy?

I created a row-level security policy like this:

.create-or-alter function with () Filter() {
    let IsAdmin = current_principal_is_member_of('[email protected]');
    let MyTenant = current_principal_details().Notes;
    StormEvents | where Admin or Tenant == MyTenant
}

.alter table MyTable policy row_level_security enable "Filter"

and then accidentally updated it not to have the same schema as the underlying table. When I tried to query the table, I got this error:

Semantic error: SEM0116: Error in row_level_security query for database("...").table("..."): the result of the query must have exactly the same schema (column names and types) as the original table

Now I am trying things to fix the RLS policy but when I run the query to update the policy to output a valid schema, it fails while executing the RLS policy. I tried deleting the function but now every query fails with

'' operator: Failed to resolve table or column or scalar expression named 'Filter'

I don't want to delete my table but it appears to be permanently broken. Is there a way to fix it?

Upvotes: 1

Views: 220

Answers (1)

Slavik N
Slavik N

Reputation: 5308

Updating the function fails because it references a table with "broken" RLS.

The solution is to force updating the function without validating it, by using with (skipvalidation=true) as follows:

.create-or-alter function with (skipvalidation=true) YourFunction() {
    ...
}

As soon as you run this, the RLS will be fixed.

Upvotes: 2

Related Questions