Re: Privileges on PUBLICATION - Mailing list pgsql-hackers
From | Antonin Houska |
---|---|
Subject | Re: Privileges on PUBLICATION |
Date | |
Msg-id | 5859.1652423797@antos Whole thread Raw |
In response to | Re: Privileges on PUBLICATION ("Euler Taveira" <euler@eulerto.com>) |
Responses |
Re: Privileges on PUBLICATION
Re: Privileges on PUBLICATION |
List | pgsql-hackers |
Euler Taveira <euler@eulerto.com> wrote: > On Tue, May 10, 2022, at 5:37 AM, Antonin Houska wrote: > > My understanding is that the rows/columns filtering is a way for the > *publisher* to control which data is available to particular replica. From > this point of view, the publication privileges would just make the control > complete. > > I agree. IMO it is a new feature. We already require high privilege for logical > replication. Hence, we expect the replication user to have access to all data. > Unfortunately, nobody mentioned about this requirement during the row filter / > column list development; someone could have written a patch for GRANT ... ON > PUBLICATION. I can try that for PG 16, unless someone is already working on it. > I understand your concern. Like I said in my last sentence in the previous > email: it is a fine-grained access control on the publisher. Keep in mind that > it will *only* work for non-superusers (REPLICATION attribute). It is not > exposing something that we didn't expose before. In this particular case, there > is no mechanism to prevent the subscriber to obtain data provided by the > various row filters if they know the publication names. We could probably add a > sentence to "Logical Replication > Security" section: > > There is no privileges for publications. If you have multiple publications in a > database, a subscription can use all publications available. Attached is my proposal. It tries to be more specific and does not mention the absence of the privileges explicitly. -- Antonin Houska Web: https://www.cybertec-postgresql.com diff --git a/doc/src/sgml/ref/create_publication.sgml b/doc/src/sgml/ref/create_publication.sgml index 1a828e8d2ff..b74ba625649 100644 --- a/doc/src/sgml/ref/create_publication.sgml +++ b/doc/src/sgml/ref/create_publication.sgml @@ -94,6 +94,16 @@ CREATE PUBLICATION <replaceable class="parameter">name</replaceable> list is specified, it must include the replica identity columns. </para> + <warning> + <para> + If you are using the <literal>WHERE</literal> clause or the column list + to omit some table data from the replication for security reasons, + please make sure that the same data is not exposed via other + publications which contain the same table and have different (or + none) <literal>WHERE</literal> clause or column list. + </para> + </warning> + <para> Only persistent base tables and partitioned tables can be part of a publication. Temporary tables, unlogged tables, foreign tables,
pgsql-hackers by date: