On 09/12/16 17:08, Peter Eisentraut wrote:
> Here is a "fixup" patch for
> 0002-Add-PUBLICATION-catalogs-and-DDL-v11.patch.gz with some minor fixes.
>
Thanks, merged.
> Two issues that should be addressed:
>
> 1. I think ALTER PUBLICATION does not need to require CREATE privilege
> on the database. That should be easy to change.
>
Right, I removed the check.
> 2. By requiring only SELECT privilege to include a table in a
> publication, someone could include a table without replica identity into
> a publication and thus prevent updates to the table.
>
> A while ago I had been working on a patch to create a new PUBLICATION
> privilege for this purpose. I have attached the in-progress patch here.
> We could either finish that up and include it, or commit your patch
> initially with requiring superuser and then refine the permissions later.
>
Hmm, good catch. I changed the SELECT privilege check to owner check for
now, that seems relatively reasonable.
I agree that we should eventually have special privilege for that
though. But then we also need to invent privileges for PUBLICATIONs
themselves for this to work reasonably as you need to be owner of
PUBLICATION to add tables right now, so having PUBLICATION privilege on
table does not seem to do an awful lot. Also I think if we add table
privilege for this it's probably better named as PUBLISH rather than
PUBLICATION but that's not really important.
Attached new version with your updates and rebased on top of the current
HEAD (the partitioning patch produced quite a few conflicts).
--
Petr Jelinek http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
