On 29/03/17 20:55, Alvaro Herrera wrote:
> Peter Eisentraut wrote:
>> On 3/15/17 21:54, Peter Eisentraut wrote:
>
>>> 0004 Add subscription apply worker privilege checks
>>> 0005 Add CREATE SUBSCRIPTION privilege on databases
>>
>> It would be nice to reach a conclusion on these (the second one
>> particularly), because otherwise we'll be stuck with only superusers
>> being allowed to create subscriptions.
>
> I note that the CREATE privilege on databases, which previously only
> enabled schema creation, now also allows to create publications. I
> wonder what is different about subscriptions that we need a separate
> CREATE SUBSCRIPTION privilege; could we allow the three things under the
> same privilege type? (I suspect not; why give logical replication
> controls to users who in previous releases were only able to create
> schemas?) If not, does it make sense to have one privilege for both new
> things, perhaps something like GRANT LOGICAL REPLICATION THINGIES? If
> not, maybe we should have three separate priv bits: GRANT CREATE for
> schemas, GRANT CREATE PUBLICATION and GRANT CREATE SUBSCRIPTION?
>
>
> So this CREATE SUBSCRIPTION priv actually gives you the power to cause
> the system to open network connections to the outside world. It's not
> something you give freely to random strangers -- should be guarded
> moderately tight, because it could be used as covert channel for data
> leaking. However, it's 1000x better than requiring superuser for
> subscription creation, so +1 for the current approach.
>
Plus on the other hand you might want to allow somebody to stream data
from another server but not necessarily allow said person to create new
objects in the database which standard CREATE privilege would allow. So
I think it makes sense to push this approach.
-- Petr Jelinek http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training &
Services
