Masking not applied after a SET ROLE directly after the SECURITY LABEL

(Full script, from the French version of the workshop is there)

• User paul (superuser) sets a masking rule and then SET ROLE pierre, who is masked. The masking is NOT applied to pierre:

SET ROLE paul;
SECURITY LABEL FOR anon ON COLUMN supplier.contact
IS 'MASKED WITH VALUE $$CONFIDENTIAL$$';

SET ROLE pierre;

SELECT * FROM supplier ;
 id  | fk_company_id |    contact     |    phone    |   job_title   
-----+---------------+----------------+-------------+---------------
 299 |           194 | Johnny Ryall   | 597-500-569 | CEO
 157 |           346 | George Clinton | 131-002-530 | Sales manager
(2 lignes)

• Disconnect, connect as paul, SET ROLE pierre, or connect directly as pierre : the masking is okay.

\c boutique paul
Vous êtes maintenant connecté à la base de données « boutique » en tant qu'utilisateur « paul ».
SET ROLE pierre ;
SELECT * FROM supplier ;
 id  | fk_company_id |   contact    |    phone    |   job_title   
-----+---------------+--------------+-------------+---------------
 299 |           194 | CONFIDENTIAL | 597-500-569 | CEO
 157 |           346 | CONFIDENTIAL | 131-002-530 | Sales manager

• So there is somewhere a context to reinitialize. I don't know the precise scope of SECURITY LABELs. It may need a documentation update somewhere (I didn't find anything). If there is a security issue somewhere, I didn't find it. pg_seclabels seems OK.

• PG anon 2.0.0 on PG 17, Debian 13