Re: Non-superuser subscription owners - Mailing list pgsql-hackers
| From | Robert Haas |
|---|---|
| Subject | Re: Non-superuser subscription owners |
| Date | |
| Msg-id | CA+TgmoYAu9sbgZ4oQ9kcTOny5+iANOtythjpq8HFmza_1PTmGA@mail.gmail.com Whole thread Raw |
| In response to | Re: Non-superuser subscription owners (Andres Freund <andres@anarazel.de>) |
| Responses |
Re: Non-superuser subscription owners
Re: Non-superuser subscription owners |
| List | pgsql-hackers |
On Tue, Jan 31, 2023 at 7:01 PM Andres Freund <andres@anarazel.de> wrote: > I don't really understand that - the run-as approach seems like a > necessary piece of improving the security model. > > I think it's perfectly reasonable to want to replicate from one system > in another, but to not want to allow logical replication to insert into > pg_class or whatnot. So not using superuser to execute the replication > makes sense. > > This is particularly the case if you're just replicating a small part of > the tables from one system to another. E.g. in a sharded setup, you may > want to replicate metadata too servers. I don't think that a system catalog should be considered a valid replication target, no matter who owns the subscription, so ISTM that writing to pg_class should be blocked regardless. The thing I'm struggling to understand is: if you only want to replicate into tables that Alice can write, why not just make Alice own the subscription? For a run-as user to make sense, you need a scenario where we want the replication to target only tables that Alice can touch, but we also don't want Alice herself to be able to touch the subscription, so you make Alice the run-as user and yourself the owner, or something like that. But I'm not sure what that scenario is exactly. Mark was postulating a scenario where the publisher and subscriber don't trust each other. I was thinking a little bit more about that. I still maintain that the current system is poorly set up to make that work, but suppose we wanted to do better. We could add filtering on the subscriber side, like you list schemas or specific relations that you are or are not willing to replicate into. Then you could, for example, connect your subscription to a certain remote publication, but with the restriction that you're only willing to replicate into the "headquarters" schema. Then we'll replicate whatever tables they send us, but if the dorks at headquarters mess up the publications on their end (intentionally or otherwise) and add some tables from the "locally_controlled_stuff" schema, we'll refuse to replicate that into our eponymous schema. I don't think this kind of system is well-suited to environments where people are totally hostile to each other, because you still need to have replication slots on the remote side and stuff. Also, having the remote side decode stuff and ignoring it locally is expensive, and I bet if we add stuff like this then people will misuse it and be sad. But it would make the system easier to reason about: I know for sure that this subscription will only write to these places, because that's all I've given it permission to do. In the sharding scenario you mention, if you want to provide accidental writes to unrelated tables due to the publication being not what we expect, you can either make the subscription owned by the same role that owns the sharded tables, or a special-purpose role that has permission to write to exactly the set of tables that you expect to be touched and no others. Or, if you had something like what I posited in the last paragraph, you could use that instead. But I don't see how a separate run-as user helps. If I'm just being super-dense here, I hope that one of you will explain using short words. :-) > I think we'll need two things to improve upon the current situation: > > 1) run-as user, to reduce the scope of potential danger > > 2) Option to run the database inserts as the owner of the table, with a > check that the run-as is actually allowed to perform work as the > owning role. That prevents escalation from table owner (who could add > default expressions etc) from gettng the privs of the > run-as/replication owner. I'm not quite sure what we do here now, but I agree that trigger firing seems like a problem. It might be that we need to worry about the user on the origin server, too. If Alice inserts a row that causes a replicated table owned by Bob to fire a trigger or evaluate a default expression or whatever due the presence of a subscription owned by Charlie, there is a risk that Alice might try to attack either Bob or Charlie, or that Bob might try to attack Charlie. > > And if we suppose that that already works and is safe, well then > > what's the case where I do need a run-as user? > > It's not at all safe today, IMO. You need to trust that nothing bad will > be replicated, otherwise the owner of the subscription has to be > considered compromised. What kinds of things are bad to replicate? -- Robert Haas EDB: http://www.enterprisedb.com
pgsql-hackers by date: