On Fri, Jan 21, 2022 at 7:23 PM Peter Eisentraut
<peter.eisentraut@enterprisedb.com> wrote:
>
> On 21.01.22 04:08, Masahiko Sawada wrote:
> >> I think the superuser check in AlterSubscription() might no longer be
> >> appropriate. Subscriptions can now be owned by non-superusers. Please
> >> check that.
> >
> > IIUC we don't allow non-superuser to own the subscription yet. We
> > still have the following superuser checks:
> >
> > In CreateSubscription():
> >
> > if (!superuser())
> > ereport(ERROR,
> > (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> > errmsg("must be superuser to create subscriptions")));
> >
> > and in AlterSubscriptionOwner_internal();
> >
> > /* New owner must be a superuser */
> > if (!superuser_arg(newOwnerId))
> > ereport(ERROR,
> > (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> > errmsg("permission denied to change owner of
> > subscription \"%s\"",
> > NameStr(form->subname)),
> > errhint("The owner of a subscription must be a superuser.")));
> >
> > Also, doing superuser check here seems to be consistent with
> > pg_replication_origin_advance() which is another way to skip
> > transactions and also requires superuser permission.
>
> I'm referring to commit a2ab9c06ea15fbcb2bfde570986a06b37f52bcca. You
> still have to be superuser to create a subscription, but you can change
> the owner to a nonprivileged user and it will observe table permissions
> on the subscriber.
>
> Assuming my understanding of that commit is correct, I think it would be
> sufficient in your patch to check that the current user is the owner of
> the subscription.
>
Won't we already do that for Alter Subscription command which means
nothing special needs to be done for this? However, it seems to me
that the idea we are trying to follow here is that as this option can
lead to data inconsistency, it is good to allow only superusers to
specify this option. The owner of the subscription can be changed to
non-superuser as well in which case I think it won't be a good idea to
allow this option. OTOH, if we think it is okay to allow such an
option to users that don't have superuser privilege then I think
allowing it to the owner of the subscription makes sense to me.
--
With Regards,
Amit Kapila.