On 17.12.21 22:07, Alvaro Herrera wrote:
> So I've been thinking about this as a "security" item (you can see my
> comments to that effect sprinkled all over this thread), in the sense
> that if a publication "hides" some column, then the replica just won't
> get access to it. But in reality that's mistaken: the filtering that
> this patch implements is done based on the queries that *the replica*
> executes at its own volition; if the replica decides to ignore the list
> of columns, it'll be able to get all columns. All it takes is an
> uncooperative replica in order for the lot of data to be exposed anyway.
During normal replication, the publisher should only send the columns
that are configured to be part of the publication. So I don't see a
problem there.
During the initial table sync, the subscriber indeed can construct any
COPY command. We could maybe replace this with a more customized COPY
command variant, like COPY table OF publication TO STDOUT.
But right now the subscriber is sort of assumed to have access to
everything on the publisher anyway, so I doubt that this is the only
problem. But it's worth considering.
