Re: Privileges on PUBLICATION - Mailing list pgsql-hackers

From Antonin Houska
Subject Re: Privileges on PUBLICATION
Date
Msg-id 5859.1652423797@antos
Whole thread Raw
In response to Re: Privileges on PUBLICATION  ("Euler Taveira" <euler@eulerto.com>)
Responses Re: Privileges on PUBLICATION
Re: Privileges on PUBLICATION
List pgsql-hackers
Euler Taveira <euler@eulerto.com> wrote:

> On Tue, May 10, 2022, at 5:37 AM, Antonin Houska wrote:
> 
>  My understanding is that the rows/columns filtering is a way for the
>  *publisher* to control which data is available to particular replica. From
>  this point of view, the publication privileges would just make the control
>  complete.
> 
> I agree. IMO it is a new feature. We already require high privilege for logical
> replication. Hence, we expect the replication user to have access to all data.
> Unfortunately, nobody mentioned about this requirement during the row filter /
> column list development; someone could have written a patch for GRANT ... ON
> PUBLICATION.

I can try that for PG 16, unless someone is already working on it.

> I understand your concern. Like I said in my last sentence in the previous
> email: it is a fine-grained access control on the publisher. Keep in mind that
> it will *only* work for non-superusers (REPLICATION attribute). It is not
> exposing something that we didn't expose before. In this particular case, there
> is no mechanism to prevent the subscriber to obtain data provided by the
> various row filters if they know the publication names. We could probably add a
> sentence to "Logical Replication > Security" section:
> 
> There is no privileges for publications. If you have multiple publications in a
> database, a subscription can use all publications available.

Attached is my proposal. It tries to be more specific and does not mention the
absence of the privileges explicitly.

-- 
Antonin Houska
Web: https://www.cybertec-postgresql.com

diff --git a/doc/src/sgml/ref/create_publication.sgml b/doc/src/sgml/ref/create_publication.sgml
index 1a828e8d2ff..b74ba625649 100644
--- a/doc/src/sgml/ref/create_publication.sgml
+++ b/doc/src/sgml/ref/create_publication.sgml
@@ -94,6 +94,16 @@ CREATE PUBLICATION <replaceable class="parameter">name</replaceable>
       list is specified, it must include the replica identity columns.
      </para>
 
+     <warning>
+      <para>
+       If you are using the <literal>WHERE</literal> clause or the column list
+       to omit some table data from the replication for security reasons,
+       please make sure that the same data is not exposed via other
+       publications which contain the same table and have different (or
+       none) <literal>WHERE</literal> clause or column list.
+     </para>
+     </warning>
+
      <para>
       Only persistent base tables and partitioned tables can be part of a
       publication.  Temporary tables, unlogged tables, foreign tables,

pgsql-hackers by date:

Previous
From: "houzj.fnst@fujitsu.com"
Date:
Subject: RE: bogus: logical replication rows/cols combinations
Next
From: Antonin Houska
Date:
Subject: Re: Privileges on PUBLICATION