Re: Non-superuser subscription owners - Mailing list pgsql-hackers

From Amit Kapila
Subject Re: Non-superuser subscription owners
Date
Msg-id CAA4eK1KdsoVCpregR8BymGfwhp38WnnX5hP-ZLdynZS78E2ZRQ@mail.gmail.com
Whole thread Raw
In response to Re: Non-superuser subscription owners  (Mark Dilger <mark.dilger@enterprisedb.com>)
Responses Re: Non-superuser subscription owners
List pgsql-hackers
On Mon, Dec 6, 2021 at 9:26 PM Mark Dilger <mark.dilger@enterprisedb.com> wrote:
>
> > On Dec 6, 2021, at 2:19 AM, Amit Kapila <amit.kapila16@gmail.com> wrote:
> >
> >>> If we want to maintain the property that subscriptions can only be
> >>> owned by superuser
>
> We don't want to maintain such a property, or at least, that's not what I want.  I don't think that's what Jeff
wants,either. 
>
> To clarify, I'm not entirely sure how to interpret the verb "maintain" in your question, since before the patch the
propertydoes not exist, and after the patch, it continues to not exist.  We could *add* such a property, of course,
thoughthis patch does not attempt any such thing. 
>

Okay, let me try to explain again. Following is the text from docs
[1]: " (a) To create a subscription, the user must be a superuser. (b)
The subscription apply process will run in the local database with the
privileges of a superuser. (c) Privileges are only checked once at the
start of a replication connection. They are not re-checked as each
change record is read from the publisher, nor are they re-checked for
each change when applied.

My understanding is that we want to improve what is written as (c)
which I think is the same as what you mentioned later as "Fix the
current bug wherein subscription changes are applied with superuser
force after the subscription owner has superuser privileges revoked.".
Am I correct till here? If so, I think what I am suggesting should fix
this with the assumption that we still want to follow (b) at least for
the first patch. One possibility is that our understanding of the
first problem is the same but you want to allow apply worker running
even when superuser privileges are revoked provided the user with
which it is running has appropriate privileges on the objects being
accessed by apply worker.

We will talk about other points of the roadmap you mentioned once our
understanding for the first one matches.

[1] - https://www.postgresql.org/docs/devel/logical-replication-security.html

--
With Regards,
Amit Kapila.



pgsql-hackers by date:

Previous
From: Dilip Kumar
Date:
Subject: Re: Add sub-transaction overflow status in pg_stat_activity
Next
From: Greg Nancarrow
Date:
Subject: Re: Alter all tables in schema owner fix