Re: [HACKERS] postgres_fdw super user checks - Mailing list pgsql-hackers

From Jeff Janes
Subject Re: [HACKERS] postgres_fdw super user checks
Date
Msg-id CAMkU=1yS4HVTyP7VN-XaGY8wio05REVF0_27cxNCTSN4w4dw7w@mail.gmail.com
Whole thread Raw
In response to Re: [HACKERS] postgres_fdw super user checks  (Andreas Karlsson <andreas@proxel.se>)
Responses Re: [HACKERS] postgres_fdw super user checks
Re: [HACKERS] postgres_fdw super user checks
List pgsql-hackers
On Tue, Sep 12, 2017 at 1:13 AM, Andreas Karlsson <andreas@proxel.se> wrote:
On 07/27/2017 09:45 PM, Jeff Janes wrote:> Here is an updated patch.  This version allows you use the password-less
connection if you either are the super-user directly (which is the existing committed behavior), or if you are using the super-user's mapping because you are querying a super-user-owned view which you have been granted access to.

I have tested the patch and it passes the tests and works, and the code looks good (I have a small nitpick below).

The feature seems useful, especially for people who already use views for security, so the question is if this is a potential footgun. I am leaning towards no since the superuser should be careful when grant access to is views anyway.

It would have been nice if there was a more generic way to handle this since 1) the security issue is not unique to postgres_fdw and 2) this requires you to create a view. But since the patch is simple, an improvement in itself and does not prevent any future further improvements in this era I see no reason to let perfect be the enemy of good.

Thanks for the review.

I think that foreign tables ought to behave as views do, where they run as the owner rather than the invoker.  No one has talked me out of it, but no one has supported me on it either.  But I think it is too late to change that now.  Wrapping it in a view is not hard, but it sure clutters up a schema.  I don't think this can be made too generic, because each database has a quite different security model, so the solution will be much different.

Attached is a new patch which fixes the style issue you mentioned.

Cheers,

Jeff


Attachment

pgsql-hackers by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: [HACKERS] pg_basebackup behavior on non-existent slot
Next
From: Bruce Momjian
Date:
Subject: Re: [HACKERS] Clarification in pg10's pgupgrade.html step 10(upgrading standby servers)