Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security - Mailing list pgsql-hackers
| From | Robert Haas |
|---|---|
| Subject | Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security |
| Date | |
| Msg-id | CA+TgmobpVTMan6zR8rgBNcamc1Hwn0uH-gjuOR9DLB1H-h+saQ@mail.gmail.com Whole thread Raw |
| In response to | Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security (Jacob Champion <jchampion@timescale.com>) |
| Responses |
Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security
|
| List | pgsql-hackers |
On Wed, Jan 25, 2023 at 6:22 PM Jacob Champion <jchampion@timescale.com> wrote: > Sure: Ambient authority [1] means that something is granted access based > on some aspect of its existence that it can't remove (or even > necessarily enumerate). Up above, when you said "I cannot choose not to > be myself," that's a clear marker that ambient authority is involved. > Examples of ambient authn/z factors might include an originating IP > address, the user ID of a connected peer process, the use of a loopback > interface, a GPS location, and so on. So 'peer' and 'ident' are ambient > authentication methods. OK. > 1) Forwarding the original ambient context along with the request, so > the server can check it too. Right, so a protocol extension. Reasonable idea, but a big lift. Not only do you need everyone to be running a new enough version of PostgreSQL, but existing proxies like pgpool and pgbouncer need updates, too. > 2) Explicitly combining the request with the proof of authority needed > to make it, as in capability-based security [3]. As far as I can see, that link doesn't address how you'd make this approach work across a network. > 3) Dropping as many implicitly-held privileges as possible before making > a request. This doesn't solve the problem but may considerably reduce > the practical attack surface. Right. I definitely don't object to this kind of approach, but I don't think it can ever be sufficient by itself. > > e.g. > > > > all all all local all all - deny # block access through UNIX sockets > > all all all 127.0.0.0/8 all all - deny # block loopback interface via IPv4 > > > > Or: > > > > postgres_fdw all all all all all authentication=cleartext,md5,sasl > > allow # allow postgres_fdw with password-ish authentication > > I think this style focuses on absolute configuration flexibility at the > expense of usability. It obfuscates the common use cases. (I have the > exact same complaint about our HBA and ident configs, so I may be > fighting uphill.) That's probably somewhat true, but on the other hand, it also is more powerful than what you're describing. In your system, is there some way the DBA can say "hey, you can connect to any of the machines on this list of subnets, but nothing else"? Or equally, "hey, you may NOT connect to any machine on this list of subnets, but anything else is fine"? Or "you can connect to these subnets without SSL, but if you want to talk to anything else, you need to use SSL"? I would feel a bit bad saying that those are just use cases we don't care about. Most people likely wouldn't use that kind of flexibility, so maybe it doesn't really matter, but it seems kind of nice to have. Your idea seems to rely on us being able to identify all of the policies that a user is likely to want and give names to each one, and I don't feel very confident that that's realistic. But maybe I'm misinterpreting your idea? -- Robert Haas EDB: http://www.enterprisedb.com
pgsql-hackers by date: