[17] CREATE SUBSCRIPTION ... SERVER
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: pgsql-hackers@postgresql.org
Date: 2023-08-30T06:42:00Z
Lists: pgsql-hackers
Attachments
- v1-0001-CREATE-SUBSCRIPTION-.-SERVER.patch (text/x-patch) patch v1-0001
Synopsis:
Publisher:
CREATE TABLE x(i INT);
CREATE TABLE y(i INT);
INSERT INTO x VALUES(1);
INSERT INTO y VALUES(-1);
CREATE PUBLICATION pub1 FOR TABLE x;
CREATE PUBLICATION pub2 FOR TABLE y;
Subscriber:
CREATE SERVER myserver FOR CONNECTION ONLY OPTIONS (
host '...', dbname '...'
);
CREATE USER MAPPING FOR PUBLIC SERVER myserver OPTIONS (
user '...', password '...'
);
CREATE TABLE x(i INT);
CREATE TABLE y(i INT);
CREATE SUBSCRIPTION sub1 SERVER myserver PUBLICATION pub1;
CREATE SUBSCRIPTION sub2 SERVER myserver PUBLICATION pub2;
Motivation:
* Allow managing connections separately from managing the
subscriptions themselves. For instance, if you update an
authentication method or the location of the publisher, updating
the server alone will update all subscriptions at once.
* Enable separating the privileges to create a subscription from the
privileges to create a connection string. (By default
pg_create_subscription has both privileges for compatibility with
v16, but the connection privilege can be revoked from
pg_create_subscription, see below.)
* Enable changing of single connection parameters without pasting
the rest of the connection string as well. E.g. "ALTER SERVER
... OPTIONS (SET ... '...');".
* Benefit from user mappings and ACLs on foreign server object if
you have multiple roles creating subscriptions.
Details:
The attached patch implements "CREATE SUBSCRIPTION ... SERVER myserver"
as an alternative to "CREATE SUBSCRIPTION ... CONNECTION '...'". The
user must be a member of pg_create_subscription and have USAGE
privileges on the server.
The server "myserver" must have been created with the new syntax:
CREATE SERVER myserver FOR CONNECTION ONLY
instead of specifying FOREIGN DATA WRAPPER. In other words, a server
FOR CONNECTION ONLY doesn't have a real FDW, it's a special server just
used for the postgres connection options. To create a server FOR
CONNECTION ONLY, the user must be a member of the new predefined role
pg_create_connection. A server FOR CONNECTION ONLY still uses ACLs and
user mappings the same way as other foreign servers, but cannot be used
to create foreign tables.
The predefined role pg_create_subscription is also a member of the role
pg_create_connection, so that existing members of the
pg_create_subscription role may continue to create subscriptions using
CONNECTION just like in v16 without any additional grant.
Security:
One motivation of this patch is to enable separating the privileges to
create a subscription from the privileges to create a connection
string, because each have their own security implications and may be
done through separate processes. To separate the privileges, simply
revoke pg_create_connection from pg_create_subscription; then you can
grant each one independently as you see fit.
For instance, there may be an administrator that controls what
postgres instances are available, and what connections may be
reasonable between those instances. That admin will need the
pg_create_connection role, and can proactively create all the servers
(using FOR CONNECTION ONLY) and user mappings that may be useful, and
manage and update those as necessary without breaking
subscriptions. Another role may be used to manage the subscriptions
themselves, and they would need to be a member of
pg_create_subscription but do not need the privileges to create raw
connection strings.
Note: the ability to revoke pg_create_connection from
pg_create_subscription avoids some risks in some environments; but
creating a subcription should still be considered a highly privileged
operation whether using SERVER or CONNECTION.
Remaining work:
The code for options handling needs some work. It's similar to
postgres_fdw in behavior, but I didn't spend as much time on it because
I suspect we will want to refactor the various ways connection strings
are handled (in CREATE SUBSCRIPTION ... CONNECTION, postgres_fdw, and
dblink) to make them more consistent.
Also, there are some nuances in handling connection options that I
don't fully understand. postgres_fdw makes a lot of effort: it
overrides client_encoding, it does a
post-connection security check, and allows GSS instead of a password
option for non-superusers. But CREATE SUBSCRIPTION ... CONNECTION makes
little effort, only checking whether the password is specified or not.
I'd like to understand why they are different and what we can unify.
Also, right now dblink has it's own dblink_fdw, and perhaps a server
FOR CONNECTION ONLY should become the preferred method instead.
--
Jeff Davis
PostgreSQL Contributor Team - AWS
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Document new catalog columns, missed in commit 8185bb5347.
- 90630ec42939 19 (unreleased) landed
-
Refactor to remove ForeignServerName().
- 11f8018ee678 19 (unreleased) landed
-
GetSubscription(): use per-object memory context.
- f16f5d608ca6 19 (unreleased) landed
-
Fix dependency on FDW's connection function.
- 4a0b46b6e1e4 19 (unreleased) landed
-
ALTER SUBSCRIPTION ... SERVER test.
- 1c5bf1185af0 19 (unreleased) landed
-
Fix pg_dump for CREATE FOREIGN DATA WRAPPER ... CONNECTION.
- b71bf3b84570 19 (unreleased) landed
-
Clean up postgres_fdw/t/010_subscription.pl.
- f4af7849b3db 19 (unreleased) landed
-
CREATE SUBSCRIPTION ... SERVER.
- 8185bb534763 19 (unreleased) landed
-
Allow upgrades to preserve the full subscription's state.
- 9a17be1e244a 17.0 cited