Re: Non-superuser subscription owners - Mailing list pgsql-hackers
| From | Jeff Davis |
|---|---|
| Subject | Re: Non-superuser subscription owners |
| Date | |
| Msg-id | 27c557b12a590067c5e00588009447bb5bb2dd42.camel@j-davis.com Whole thread Raw |
| In response to | Re: Non-superuser subscription owners (Robert Haas <robertmhaas@gmail.com>) |
| List | pgsql-hackers |
On Wed, 2023-01-18 at 14:38 -0500, Robert Haas wrote: > I was just noticing that what was committed here didn't actually fix > the problem implied by the subject line. That is, non-superuser still > can't own subscriptions. To put that another way, there's no way for > the superuser to delegate the setup and administration of logical > replication to a non-superuser. That's a bummer. Right, though as Mark pointed out, it does accomplish something even if it's a bit unsatisfying. We could certainly do better here. > 2. There was also quite a bit of discussion of what to do if a user > who was previously eligible to own a subscription ceases to be > eligible, in particular around a superuser who is made into a > non-superuser, but the same problem would apply Correct, that's not a new problem, but exists in only a few places now. Our privilege system is focused on "what action can the user take right now?", and gets weirder when it comes to object ownership, which is a more permanent thing. Extending that system to a subscription object, which has its own capabilities including a long-lived process, is cause for some hesitation. I agree it's not necessarily a blocker. > 3. There was a bit of discussion of maybe wanting to allow users to > create subscriptions with some connection strings but not others, This was an alternative to trying to sanitize connection strings, because it's a bit difficult to reason about what might be "safe" connection strings for a non-superuser, because it's environment- dependent. But if we do identify a reasonable set of sanitization rules, we can proceed without 3. > I am very curious to know (a) why work on this was abandoned (perhaps > the answer is just lack of round tuits, in which case there is no > more > to be said), and (b) what people think of (1)-(3) above, and (c) > whether anyone knows of further problems that need to be considered > here. (a) Mostly round-tuits. There are problems and questions; but there are with any work, and they could be solved. Or, if they don't turn out to be terribly serious, we could ignore them. (b) When I pick this up again I would be inclined towards the following: try to solve 4-5 (listed below) first, which are independently useful; then look at both 1 and 3 to see which one presents an agreeable solution faster. I'll probably ignore 2 because I couldn't get agreement the last time around (I think Mark objected to the idea of denying a drop in privileges). (c) Let me add: 4. There are still differences between the subscription worker applying a change and going through the ordinary INSERT paths, for instance with RLS. Also solvable. 5. Andres raised in another thread the idea of switching to the table owner when applying changes (perhaps in a SECURITY_RESTRICTED_OPERATION?): https://www.postgresql.org/message-id/20230112033355.u5tiyr2bmuoc4jf4@awork3.anarazel.de That seems related, and I like the idea. -- Jeff Davis PostgreSQL Contributor Team - AWS
pgsql-hackers by date: