Thread
Commits
-
Refactor ExecGrant_*() functions
- 369f09e420ef 16.0 cited
-
doc: Add note about lack of publication privileges
- 84387fc88944 16.0 landed
-
Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-09T14:09:57Z
Now that the user can specify rows and columns to be omitted from the logical replication [1], I suppose hiding rows and columns from the subscriber is an important use case. However, since the subscription connection user (i.e. the user specified in the CREATE SUBSCRIPTION ... CONNECTION ... command) needs SELECT permission on the replicated table (on the publication side), he can just use another publication (which has different filters or no filters at all) to get the supposedly-hidden data replicated. Don't we need privileges on publication (e.g GRANT USAGE ON PUBLICATION ...) now? [1] https://www.postgresql.org/docs/devel/sql-createpublication.html -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Euler Taveira <euler@eulerto.com> — 2022-05-09T18:44:45Z
On Mon, May 9, 2022, at 11:09 AM, Antonin Houska wrote: > Now that the user can specify rows and columns to be omitted from the logical > replication [1], I suppose hiding rows and columns from the subscriber is an > important use case. However, since the subscription connection user (i.e. the > user specified in the CREATE SUBSCRIPTION ... CONNECTION ... command) needs > SELECT permission on the replicated table (on the publication side), he can > just use another publication (which has different filters or no filters at > all) to get the supposedly-hidden data replicated. The required privileges were not relaxed on publisher after the row filter and column list features. It is not just to "create another publication". Create publications require CREATE privilege on databases (that is *not* granted to PUBLIC).If you have an untrusted user that could bypass your rules about hidden data, it is better to review your user privileges. postgres=# CREATE ROLE foo REPLICATION LOGIN; CREATE ROLE postgres=# \c - foo You are now connected to database "postgres" as user "foo". postgres=> CREATE PUBLICATION pub1; ERROR: permission denied for database postgres The documentation [1] says "The role used for the replication connection must have the REPLICATION attribute (or be a superuser)." You can use role foo for the replication connection but role foo couldn't be a superuser. In this case, even if role foo open a connection to database postgres, a publication cannot be created due to lack of privileges. > Don't we need privileges on publication (e.g GRANT USAGE ON PUBLICATION ...) > now? Maybe. We rely on CREATE privilege on databases right now. If you say that GRANT USAGE ON PUBLICATION is just a command that will have the same effect as REPLICATION property [1] has right now, I would say it won't. Are you aiming a fine-grained access control on publisher? [1] https://www.postgresql.org/docs/devel/logical-replication-security.html -- Euler Taveira EDB https://www.enterprisedb.com/
-
Re: Privileges on PUBLICATION
Amit Kapila <amit.kapila16@gmail.com> — 2022-05-10T03:49:48Z
On Tue, May 10, 2022 at 12:16 AM Euler Taveira <euler@eulerto.com> wrote: > > On Mon, May 9, 2022, at 11:09 AM, Antonin Houska wrote: > > Now that the user can specify rows and columns to be omitted from the logical > replication [1], I suppose hiding rows and columns from the subscriber is an > important use case. However, since the subscription connection user (i.e. the > user specified in the CREATE SUBSCRIPTION ... CONNECTION ... command) needs > SELECT permission on the replicated table (on the publication side), he can > just use another publication (which has different filters or no filters at > all) to get the supposedly-hidden data replicated. > > The required privileges were not relaxed on publisher after the row filter and > column list features. It is not just to "create another publication". Create > publications require CREATE privilege on databases (that is *not* granted to > PUBLIC).If you have an untrusted user that could bypass your rules about hidden > data, it is better to review your user privileges. > Also, to create a subscription (which combines multiple publications to bypass rules), a user must be a superuser. So, isn't that a sufficient guarantee that users shouldn't be able to bypass such rules? -- With Regards, Amit Kapila.
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-10T08:02:58Z
Euler Taveira <euler@eulerto.com> wrote: > On Mon, May 9, 2022, at 11:09 AM, Antonin Houska wrote: > > Now that the user can specify rows and columns to be omitted from the logical > replication [1], I suppose hiding rows and columns from the subscriber is an > important use case. However, since the subscription connection user (i.e. the > user specified in the CREATE SUBSCRIPTION ... CONNECTION ... command) needs > SELECT permission on the replicated table (on the publication side), he can > just use another publication (which has different filters or no filters at > all) to get the supposedly-hidden data replicated. > > The required privileges were not relaxed on publisher after the row filter and > column list features. It is not just to "create another publication". Create > publications require CREATE privilege on databases (that is *not* granted to > PUBLIC).If you have an untrusted user that could bypass your rules about hidden > data, it is better to review your user privileges. > > postgres=# CREATE ROLE foo REPLICATION LOGIN; > CREATE ROLE > postgres=# \c - foo > You are now connected to database "postgres" as user "foo". > postgres=> CREATE PUBLICATION pub1; > ERROR: permission denied for database postgres > > The documentation [1] says > > "The role used for the replication connection must have the REPLICATION > attribute (or be a superuser)." > > You can use role foo for the replication connection but role foo couldn't be a > superuser. In this case, even if role foo open a connection to database > postgres, a publication cannot be created due to lack of privileges. > > Don't we need privileges on publication (e.g GRANT USAGE ON PUBLICATION ...) > now? > > Maybe. We rely on CREATE privilege on databases right now. If you say that > GRANT USAGE ON PUBLICATION is just a command that will have the same effect as > REPLICATION property [1] has right now, I would say it won't. Are you aiming a > fine-grained access control on publisher? The configuration I'm thinking of is multiple replicas reading data from the same master. For example, consider "foo" and "bar" roles, used by "subscr_foo" and "subscr_bar" subscriptions respectively. (Therefore, both roles need the REPLICATION option.) The subscriptions "subscr_foo" and "subscr_bar" are located in "db_foo" and "db_bar" databases respectively. On the master side, there are two publications: "pub_foo" and "pub_bar", to be used by "subscr_foo" and "subscr_bar" subscriptions respectively. The publications replicate the same table, but each with a different row filter. The problem is that the admin of "db_foo" can add the "pub_bar" publication to the "subscr_foo" subscription, and thus get the data that his "pub_foo" would filter out. Likewise, the admin of "db_bar" can "steal" the data from "pub_foo" by adding that publication to "subscr_bar". In this case, the existing publications are misused, so the CREATE PUBLICATION privileges do not help. Since the REPLICATION option of a role is cluster-wide, but I need specific roles to be restricted to specific publications, it can actually be called fine-grained access control as you say. > [1] https://www.postgresql.org/docs/devel/logical-replication-security.html -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-10T08:37:24Z
Amit Kapila <amit.kapila16@gmail.com> wrote: > On Tue, May 10, 2022 at 12:16 AM Euler Taveira <euler@eulerto.com> wrote: > > > > On Mon, May 9, 2022, at 11:09 AM, Antonin Houska wrote: > > > > Now that the user can specify rows and columns to be omitted from the logical > > replication [1], I suppose hiding rows and columns from the subscriber is an > > important use case. However, since the subscription connection user (i.e. the > > user specified in the CREATE SUBSCRIPTION ... CONNECTION ... command) needs > > SELECT permission on the replicated table (on the publication side), he can > > just use another publication (which has different filters or no filters at > > all) to get the supposedly-hidden data replicated. > > > > The required privileges were not relaxed on publisher after the row filter and > > column list features. It is not just to "create another publication". Create > > publications require CREATE privilege on databases (that is *not* granted to > > PUBLIC).If you have an untrusted user that could bypass your rules about hidden > > data, it is better to review your user privileges. > > > > Also, to create a subscription (which combines multiple publications > to bypass rules), a user must be a superuser. So, isn't that a > sufficient guarantee that users shouldn't be able to bypass such > rules? My understanding is that the rows/columns filtering is a way for the *publisher* to control which data is available to particular replica. From this point of view, the publication privileges would just make the control complete. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2022-05-12T05:46:56Z
On 10.05.22 10:37, Antonin Houska wrote: > My understanding is that the rows/columns filtering is a way for the > *publisher* to control which data is available to particular replica. From > this point of view, the publication privileges would just make the control > complete. I think privileges on publications would eventually be useful. But are you arguing that we need them for PG15 to make the new features usable safely?
-
Re: Privileges on PUBLICATION
Euler Taveira <euler@eulerto.com> — 2022-05-12T12:48:28Z
On Tue, May 10, 2022, at 5:37 AM, Antonin Houska wrote: > My understanding is that the rows/columns filtering is a way for the > *publisher* to control which data is available to particular replica. From > this point of view, the publication privileges would just make the control > complete. I agree. IMO it is a new feature. We already require high privilege for logical replication. Hence, we expect the replication user to have access to all data. Unfortunately, nobody mentioned about this requirement during the row filter / column list development; someone could have written a patch for GRANT ... ON PUBLICATION. I understand your concern. Like I said in my last sentence in the previous email: it is a fine-grained access control on the publisher. Keep in mind that it will *only* work for non-superusers (REPLICATION attribute). It is not exposing something that we didn't expose before. In this particular case, there is no mechanism to prevent the subscriber to obtain data provided by the various row filters if they know the publication names. We could probably add a sentence to "Logical Replication > Security" section: There is no privileges for publications. If you have multiple publications in a database, a subscription can use all publications available. -- Euler Taveira EDB https://www.enterprisedb.com/
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-13T06:36:37Z
Euler Taveira <euler@eulerto.com> wrote: > On Tue, May 10, 2022, at 5:37 AM, Antonin Houska wrote: > > My understanding is that the rows/columns filtering is a way for the > *publisher* to control which data is available to particular replica. From > this point of view, the publication privileges would just make the control > complete. > > I agree. IMO it is a new feature. We already require high privilege for logical > replication. Hence, we expect the replication user to have access to all data. > Unfortunately, nobody mentioned about this requirement during the row filter / > column list development; someone could have written a patch for GRANT ... ON > PUBLICATION. I can try that for PG 16, unless someone is already working on it. > I understand your concern. Like I said in my last sentence in the previous > email: it is a fine-grained access control on the publisher. Keep in mind that > it will *only* work for non-superusers (REPLICATION attribute). It is not > exposing something that we didn't expose before. In this particular case, there > is no mechanism to prevent the subscriber to obtain data provided by the > various row filters if they know the publication names. We could probably add a > sentence to "Logical Replication > Security" section: > > There is no privileges for publications. If you have multiple publications in a > database, a subscription can use all publications available. Attached is my proposal. It tries to be more specific and does not mention the absence of the privileges explicitly. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-13T06:38:55Z
Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > On 10.05.22 10:37, Antonin Houska wrote: > > My understanding is that the rows/columns filtering is a way for the > > *publisher* to control which data is available to particular replica. From > > this point of view, the publication privileges would just make the control > > complete. > > I think privileges on publications would eventually be useful. But are you > arguing that we need them for PG15 to make the new features usable safely? I didn't think that far, but user should be aware of the problem. My proposal of documentation is in https://www.postgresql.org/message-id/5859.1652423797%40antos -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Euler Taveira <euler@eulerto.com> — 2022-05-13T19:28:45Z
On Fri, May 13, 2022, at 3:36 AM, Antonin Houska wrote: > Attached is my proposal. It tries to be more specific and does not mention the > absence of the privileges explicitly. You explained the current issue but say nothing about the limitation. This information will trigger a question possibly in one of the MLs. IMO if you say something like the sentence above at the end, it will make it clear why that setup expose all data (there is no access control to publications) and explicitly say there is a TODO here. Additional privileges might be added to control access to table data in a future version of <productname>PostgreSQL</productname>. I also wouldn't use the warning tag because it fits in the same category as the other restrictions listed in the page. -- Euler Taveira EDB https://www.enterprisedb.com/
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-18T09:16:10Z
Antonin Houska <ah@cybertec.at> wrote: > Euler Taveira <euler@eulerto.com> wrote: > > > On Tue, May 10, 2022, at 5:37 AM, Antonin Houska wrote: > > > > My understanding is that the rows/columns filtering is a way for the > > *publisher* to control which data is available to particular replica. From > > this point of view, the publication privileges would just make the control > > complete. > > > > I agree. IMO it is a new feature. We already require high privilege for logical > > replication. Hence, we expect the replication user to have access to all data. > > Unfortunately, nobody mentioned about this requirement during the row filter / > > column list development; someone could have written a patch for GRANT ... ON > > PUBLICATION. > > I can try that for PG 16, unless someone is already working on it. The patch is attached to this message. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-18T09:44:57Z
Euler Taveira <euler@eulerto.com> wrote: > On Fri, May 13, 2022, at 3:36 AM, Antonin Houska wrote: > > Attached is my proposal. It tries to be more specific and does not mention the > absence of the privileges explicitly. > > You explained the current issue but say nothing about the limitation. This > information will trigger a question possibly in one of the MLs. IMO if you say > something like the sentence above at the end, it will make it clear why that > setup expose all data (there is no access control to publications) and > explicitly say there is a TODO here. > > Additional privileges might be added to control access to table data in a > future version of <productname>PostgreSQL</productname>. I thought it sound too negative if absence of some feature was mentioned explicitly. However it makes sense to be clear from technical point of view. > I also wouldn't use the warning tag because it fits in the same category as the > other restrictions listed in the page. ok, please see the next version. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Euler Taveira <euler@eulerto.com> — 2022-05-18T18:04:04Z
On Wed, May 18, 2022, at 6:16 AM, Antonin Houska wrote: > The patch is attached to this message. Great. Add it to the next CF. I'll review it when I have some spare time. -- Euler Taveira EDB https://www.enterprisedb.com/
-
Re: Privileges on PUBLICATION
Euler Taveira <euler@eulerto.com> — 2022-05-18T18:19:29Z
On Wed, May 18, 2022, at 6:44 AM, Antonin Houska wrote: > ok, please see the next version. The new paragraph looks good to me. I'm not sure if the CREATE PUBLICATION is the right place to provide such information. As I suggested in a previous email [1], you could add it to "Logical Replication > Security". [1] https://postgr.es/m/d96103fe-99e2-4119-bd76-952d326b7539@www.fastmail.com -- Euler Taveira EDB https://www.enterprisedb.com/
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-05-19T18:40:55Z
Euler Taveira <euler@eulerto.com> wrote: > On Wed, May 18, 2022, at 6:16 AM, Antonin Houska wrote: > > The patch is attached to this message. > > Great. Add it to the next CF. I'll review it when I have some spare time. https://commitfest.postgresql.org/38/3641/ Thanks! -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-06-20T14:01:35Z
Euler Taveira <euler@eulerto.com> wrote: > --eeab359ad6094efd84562cddd7fb9e89 > Content-Type: text/plain > > On Wed, May 18, 2022, at 6:44 AM, Antonin Houska wrote: > > ok, please see the next version. > The new paragraph looks good to me. I'm not sure if the CREATE PUBLICATION is > the right place to provide such information. As I suggested in a previous email > [1], you could add it to "Logical Replication > Security". ok, I missed that. The next version moves the text there. > [1] https://postgr.es/m/d96103fe-99e2-4119-bd76-952d326b7539@www.fastmail.com -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2022-11-01T13:23:51Z
On 20.06.22 16:01, Antonin Houska wrote: >> On Wed, May 18, 2022, at 6:44 AM, Antonin Houska wrote: >>> ok, please see the next version. >> The new paragraph looks good to me. I'm not sure if the CREATE PUBLICATION is >> the right place to provide such information. As I suggested in a previous email >> [1], you could add it to "Logical Replication > Security". > > ok, I missed that. The next version moves the text there. I have committed this patch that adds the additional documentation. The CF entry is about privileges on publications. Please rebase that patch and repost it so that the CF app and the CF bot are up to date.
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-03T05:43:12Z
Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > The CF entry is about privileges on publications. Please rebase that patch > and repost it so that the CF app and the CF bot are up to date. The rebased patch (with regression tests added) is attached here. There's still one design issue that I haven't mentioned yet: if the USAGE privilege on a publication is revoked after the synchronization phase completed, the missing privilege on a publication causes ERROR in the output plugin. If the privilege is then granted, the error does not disappear because the same (historical) snapshot we use to decode the failed data change again is also used to check the privileges in the catalog, so the output plugin does not see that the privilege has already been granted. The only solution seems to be to drop the publication from the subscription and add it again, or to drop and re-create the whole subscription. I haven't added a note about this problem to the documentation yet, in case someone has better idea how to approach the problem. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2022-11-03T15:49:51Z
On 03.11.22 01:43, Antonin Houska wrote: > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > >> The CF entry is about privileges on publications. Please rebase that patch >> and repost it so that the CF app and the CF bot are up to date. > > The rebased patch (with regression tests added) is attached here. Some preliminary discussion: What is the upgrade strategy? I suppose the options are either that publications have a default acl that makes them publicly accessible, thus preserving the existing behavior by default, or pg_dump would need to create additional GRANT statements when upgrading from pre-PG16. I don't see anything like either of these mentioned in the patch. What is your plan? You might be interested in this patch, which relates to yours: https://commitfest.postgresql.org/40/3955/ Looking at your patch, I would also like to find a way to refactor away the ExecGrant_Publication() function. I'll think about that. I think you should add some tests under src/test/regress/ for the new GRANT and REVOKE statements, just to have some basic coverage that it works. sql/publication.sql would be appropriate, I think.
-
Re: Privileges on PUBLICATION
Amit Kapila <amit.kapila16@gmail.com> — 2022-11-04T04:29:43Z
On Thu, Nov 3, 2022 at 11:12 AM Antonin Houska <ah@cybertec.at> wrote: > > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > The CF entry is about privileges on publications. Please rebase that patch > > and repost it so that the CF app and the CF bot are up to date. > > The rebased patch (with regression tests added) is attached here. > > There's still one design issue that I haven't mentioned yet: if the USAGE > privilege on a publication is revoked after the synchronization phase > completed, the missing privilege on a publication causes ERROR in the output > plugin. If the privilege is then granted, the error does not disappear because > the same (historical) snapshot we use to decode the failed data change again > is also used to check the privileges in the catalog, so the output plugin does > not see that the privilege has already been granted. > We have a similar problem even when publication is dropped/created. The replication won't be able to proceed. > The only solution seems to be to drop the publication from the subscription > and add it again, or to drop and re-create the whole subscription. I haven't > added a note about this problem to the documentation yet, in case someone has > better idea how to approach the problem. > I think one possibility is that the user advances the slot used in replication by using pg_replication_slot_advance() at or after the location where the privilege is granted. Some other ideas have been discussed in the thread [1], in particular, see email [2] and discussion after that but we didn't reach any conclusion. [1] - https://www.postgresql.org/message-id/CAHut%2BPvMbCsL8PAz1Qc6LNoL0Ag0y3YJtPVJ8V0xVXJOPb%2B0xw%40mail.gmail.com [2] - https://www.postgresql.org/message-id/CAA4eK1JTwOAniPua04o2EcOXfzRa8ANax%3D3bpx4H-8dH7M2p%3DA%40mail.gmail.com -- With Regards, Amit Kapila.
-
Re: Privileges on PUBLICATION
Amit Kapila <amit.kapila16@gmail.com> — 2022-11-04T04:31:02Z
On Thu, Nov 3, 2022 at 9:19 PM Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > On 03.11.22 01:43, Antonin Houska wrote: > > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > >> The CF entry is about privileges on publications. Please rebase that patch > >> and repost it so that the CF app and the CF bot are up to date. > > > > The rebased patch (with regression tests added) is attached here. > > Some preliminary discussion: > > What is the upgrade strategy? I suppose the options are either that > publications have a default acl that makes them publicly accessible, > thus preserving the existing behavior by default, or pg_dump would need > to create additional GRANT statements when upgrading from pre-PG16. > I think making them publicly accessible is a better option. -- With Regards, Amit Kapila.
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-04T07:28:50Z
Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > On 03.11.22 01:43, Antonin Houska wrote: > > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > >> The CF entry is about privileges on publications. Please rebase that patch > >> and repost it so that the CF app and the CF bot are up to date. > > The rebased patch (with regression tests added) is attached here. > > Some preliminary discussion: > > What is the upgrade strategy? I suppose the options are either that > publications have a default acl that makes them publicly accessible, > thus preserving the existing behavior by default, or pg_dump would need to > create additional GRANT statements when upgrading from pre-PG16. I don't see > anything like either of these mentioned in the patch. What is your plan? So far I considered the first > You might be interested in this patch, which relates to yours: > https://commitfest.postgresql.org/40/3955/ ok, I'll check. > Looking at your patch, I would also like to find a way to refactor away the > ExecGrant_Publication() function. I'll think about that. > > I think you should add some tests under src/test/regress/ for the new GRANT > and REVOKE statements, just to have some basic coverage that it works. > sql/publication.sql would be appropriate, I think. I thought about the whole concept a bit more and I doubt if the PUBLICATION privilege is the best approach. In particular, the user specified in CREATE SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT privilege on the tables replicated. So if the DBA excludes some columns from the publication's column list and sets the (publication) privileges in such a way that the user cannot get the column values via other publications, the user still can connect to the database directly and get values of the excluded columns. As an alternative to the publication privileges, I think that the CREATE SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription user on the individual columns contained in the publication column list, and DROP SUBSCRIPTION would revoke that privilege. Of course a question is what to do if the replication user already has that privilege on some columns: either the CREATE SUBSCRIPTION command should raise ERROR, or we should introduce a new privilege (e.g. ACL_SELECT_PUB) for this purpose, which would effectivelly be ACL_SELECT, but hidden from the users of GRANT / REVOKE. If this approach was taken, the USAGE privilege on schema would need to be granted / revoked in a similar way. What do you think about that? -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-04T08:37:29Z
Amit Kapila <amit.kapila16@gmail.com> wrote: > On Thu, Nov 3, 2022 at 11:12 AM Antonin Houska <ah@cybertec.at> wrote: > > > > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > > > The CF entry is about privileges on publications. Please rebase that patch > > > and repost it so that the CF app and the CF bot are up to date. > > > > The rebased patch (with regression tests added) is attached here. > > > > There's still one design issue that I haven't mentioned yet: if the USAGE > > privilege on a publication is revoked after the synchronization phase > > completed, the missing privilege on a publication causes ERROR in the output > > plugin. If the privilege is then granted, the error does not disappear because > > the same (historical) snapshot we use to decode the failed data change again > > is also used to check the privileges in the catalog, so the output plugin does > > not see that the privilege has already been granted. > > > > We have a similar problem even when publication is dropped/created. > The replication won't be able to proceed. > > > The only solution seems to be to drop the publication from the subscription > > and add it again, or to drop and re-create the whole subscription. I haven't > > added a note about this problem to the documentation yet, in case someone has > > better idea how to approach the problem. > > > > I think one possibility is that the user advances the slot used in > replication by using pg_replication_slot_advance() at or after the > location where the privilege is granted. Some other ideas have been > discussed in the thread [1], in particular, see email [2] and > discussion after that but we didn't reach any conclusion. Thanks for feedback. Regarding the publications, I'm not sure what the user should expect if he revokes the permissions in the middle of processing. In such a situation, he should be aware that some privileged data could already have been replicated. My preference in such a situation would be to truncate the table(s) on the subscriber side and to restart the replication, rather than fix the replication and keep the subscriber's access to the leaked data. > [1] - https://www.postgresql.org/message-id/CAHut%2BPvMbCsL8PAz1Qc6LNoL0Ag0y3YJtPVJ8V0xVXJOPb%2B0xw%40mail.gmail.com > [2] - https://www.postgresql.org/message-id/CAA4eK1JTwOAniPua04o2EcOXfzRa8ANax%3D3bpx4H-8dH7M2p%3DA%40mail.gmail.com -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Mark Dilger <mark.dilger@enterprisedb.com> — 2022-11-04T17:17:17Z
> On Nov 4, 2022, at 12:28 AM, Antonin Houska <ah@cybertec.at> wrote: > > I thought about the whole concept a bit more and I doubt if the PUBLICATION > privilege is the best approach. In particular, the user specified in CREATE > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > privilege on the tables replicated. So if the DBA excludes some columns from > the publication's column list and sets the (publication) privileges in such a > way that the user cannot get the column values via other publications, the > user still can connect to the database directly and get values of the excluded > columns. > > As an alternative to the publication privileges, I think that the CREATE > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > user on the individual columns contained in the publication column list, and > DROP SUBSCRIPTION would revoke that privilege. > > Of course a question is what to do if the replication user already has that > privilege on some columns: either the CREATE SUBSCRIPTION command should raise > ERROR, or we should introduce a new privilege (e.g. ACL_SELECT_PUB) for this > purpose, which would effectivelly be ACL_SELECT, but hidden from the users of > GRANT / REVOKE. > > If this approach was taken, the USAGE privilege on schema would need to be > granted / revoked in a similar way. When you talk about a user needing to have privileges, it sounds like you mean privileges on the publishing database. But then you talk about CREATE SUBSCRIPTION granting privileges, which would necessarily be on the subscriber database. Can you clarify what you have in mind? — Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-04T17:37:31Z
Mark Dilger <mark.dilger@enterprisedb.com> wrote: > > On Nov 4, 2022, at 12:28 AM, Antonin Houska <ah@cybertec.at> wrote: > > > > I thought about the whole concept a bit more and I doubt if the PUBLICATION > > privilege is the best approach. In particular, the user specified in CREATE > > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > > privilege on the tables replicated. So if the DBA excludes some columns from > > the publication's column list and sets the (publication) privileges in such a > > way that the user cannot get the column values via other publications, the > > user still can connect to the database directly and get values of the excluded > > columns. > > > > As an alternative to the publication privileges, I think that the CREATE > > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > > user on the individual columns contained in the publication column list, and > > DROP SUBSCRIPTION would revoke that privilege. > > > > Of course a question is what to do if the replication user already has that > > privilege on some columns: either the CREATE SUBSCRIPTION command should raise > > ERROR, or we should introduce a new privilege (e.g. ACL_SELECT_PUB) for this > > purpose, which would effectivelly be ACL_SELECT, but hidden from the users of > > GRANT / REVOKE. > > > > If this approach was taken, the USAGE privilege on schema would need to be > > granted / revoked in a similar way. > > When you talk about a user needing to have privileges, it sounds like you > mean privileges on the publishing database. But then you talk about CREATE > SUBSCRIPTION granting privileges, which would necessarily be on the > subscriber database. Can you clarify what you have in mind? Right, the privileges need to be added on the publishing side, but the user that needs those privileges is specified on the subscription side. I didn't think much in detail how it would work. The "subscription user" certainly cannot connect to the publisher database and add grant the privileges to itself. Perhaps some of the workers on the publisher side could do it on startup. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2022-11-11T14:08:16Z
On 04.11.22 08:28, Antonin Houska wrote: > I thought about the whole concept a bit more and I doubt if the PUBLICATION > privilege is the best approach. In particular, the user specified in CREATE > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > privilege on the tables replicated. So if the DBA excludes some columns from > the publication's column list and sets the (publication) privileges in such a > way that the user cannot get the column values via other publications, the > user still can connect to the database directly and get values of the excluded > columns. Why are the SELECT privileges needed? Maybe that's something to think about and maybe change. > As an alternative to the publication privileges, I think that the CREATE > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > user on the individual columns contained in the publication column list, and > DROP SUBSCRIPTION would revoke that privilege. I think that approach is weird and unusual. Privileges and object creation should be separate operations.
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-14T11:07:48Z
Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > On 04.11.22 08:28, Antonin Houska wrote: > > I thought about the whole concept a bit more and I doubt if the PUBLICATION > > privilege is the best approach. In particular, the user specified in CREATE > > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > > privilege on the tables replicated. So if the DBA excludes some columns from > > the publication's column list and sets the (publication) privileges in such a > > way that the user cannot get the column values via other publications, the > > user still can connect to the database directly and get values of the excluded > > columns. > > Why are the SELECT privileges needed? Maybe that's something to think about > and maybe change. I haven't noticed an explanation in comments nor did I search in the mailing list archives, but the question makes sense: the REPLICATION attribute of a role is sufficient for streaming replication, so why should the logical replication require additional privileges? Technically the SELECT privilege is needed because the sync worker does actually execute SELECT query on the published tables. However, I realize now that it's not checked by the output plugin. Thus if SELECT is revoked from the "subscription user" after the table has been synchronized, the replication continues to work. So the necessity for the SELECT privilege might be an omission rather than a design choice. (Even the documentation says that the SELECT privilege is needed only for the initial synchronization [1], however it does not tell why.) > > As an alternative to the publication privileges, I think that the CREATE > > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > > user on the individual columns contained in the publication column list, and > > DROP SUBSCRIPTION would revoke that privilege. > > I think that approach is weird and unusual. Privileges and object creation > should be separate operations. ok. Another approach would be to skip the check for the SELECT privilege (as well as the check for the USAGE privilege on the corresponding schema) if given column is being accessed via a publication which has it on its column list and if the subscription user has the USAGE privilege on that publication. So far I wasn't sure if we can do that because, if pg_upgrade grants the USAGE privilege on all publications to the "public" role, the DBAs who relied on the SELECT privileges might not notice that any role having the REPLICATION attribute can access all the published tables after the upgrade. (pg_upgrade can hardly do anything else because it has no information on the "subscription users", so it cannot convert the SELECT privilege on tables to the USAGE privileges on publications.) But now that I see that the logical replication doesn't check the SELECT privilege properly anyway, I think we can get rid of it. [1] https://www.postgresql.org/docs/current/logical-replication-security.html -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-11-29T14:35:12Z
Antonin Houska <ah@cybertec.at> wrote: > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > On 04.11.22 08:28, Antonin Houska wrote: > > > I thought about the whole concept a bit more and I doubt if the PUBLICATION > > > privilege is the best approach. In particular, the user specified in CREATE > > > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > > > privilege on the tables replicated. So if the DBA excludes some columns from > > > the publication's column list and sets the (publication) privileges in such a > > > way that the user cannot get the column values via other publications, the > > > user still can connect to the database directly and get values of the excluded > > > columns. > > > > Why are the SELECT privileges needed? Maybe that's something to think about > > and maybe change. > > I haven't noticed an explanation in comments nor did I search in the mailing > list archives, but the question makes sense: the REPLICATION attribute of a > role is sufficient for streaming replication, so why should the logical > replication require additional privileges? > > Technically the SELECT privilege is needed because the sync worker does > actually execute SELECT query on the published tables. However, I realize now > that it's not checked by the output plugin. Thus if SELECT is revoked from the > "subscription user" after the table has been synchronized, the replication > continues to work. So the necessity for the SELECT privilege might be an > omission rather than a design choice. (Even the documentation says that the > SELECT privilege is needed only for the initial synchronization [1], however > it does not tell why.) > > > > As an alternative to the publication privileges, I think that the CREATE > > > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > > > user on the individual columns contained in the publication column list, and > > > DROP SUBSCRIPTION would revoke that privilege. > > > > I think that approach is weird and unusual. Privileges and object creation > > should be separate operations. > > ok. Another approach would be to skip the check for the SELECT privilege (as > well as the check for the USAGE privilege on the corresponding schema) if > given column is being accessed via a publication which has it on its column > list and if the subscription user has the USAGE privilege on that publication. > > So far I wasn't sure if we can do that because, if pg_upgrade grants the USAGE > privilege on all publications to the "public" role, the DBAs who relied on the > SELECT privileges might not notice that any role having the REPLICATION > attribute can access all the published tables after the upgrade. (pg_upgrade > can hardly do anything else because it has no information on the "subscription > users", so it cannot convert the SELECT privilege on tables to the USAGE > privileges on publications.) > > But now that I see that the logical replication doesn't check the SELECT > privilege properly anyway, I think we can get rid of it. The attached version tries to do that - as you can see in 0001, the SELECT privilege is not required for the walsender process. I also added PUBLICATION_NAMES option to the COPY TO command so that the publisher knows which publications are subject to the ACL check. Only data of those publications are returned to the subscriber. (In the previous patch version the ACL checks were performed on the subscriber side, but I that's not ideal in terms of security.) I also added the regression tests for publications, enhanced psql (the \dRp+ command) so that it displays the publication ACL and added a few missing pieces of documentation. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2022-12-16T16:37:07Z
Antonin Houska <ah@cybertec.at> wrote: > Antonin Houska <ah@cybertec.at> wrote: > > > Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > > > On 04.11.22 08:28, Antonin Houska wrote: > > > > I thought about the whole concept a bit more and I doubt if the PUBLICATION > > > > privilege is the best approach. In particular, the user specified in CREATE > > > > SUBSCRIPTION ... CONNECTION ... (say "subscription user") needs to have SELECT > > > > privilege on the tables replicated. So if the DBA excludes some columns from > > > > the publication's column list and sets the (publication) privileges in such a > > > > way that the user cannot get the column values via other publications, the > > > > user still can connect to the database directly and get values of the excluded > > > > columns. > > > > > > Why are the SELECT privileges needed? Maybe that's something to think about > > > and maybe change. > > > > I haven't noticed an explanation in comments nor did I search in the mailing > > list archives, but the question makes sense: the REPLICATION attribute of a > > role is sufficient for streaming replication, so why should the logical > > replication require additional privileges? > > > > Technically the SELECT privilege is needed because the sync worker does > > actually execute SELECT query on the published tables. However, I realize now > > that it's not checked by the output plugin. Thus if SELECT is revoked from the > > "subscription user" after the table has been synchronized, the replication > > continues to work. So the necessity for the SELECT privilege might be an > > omission rather than a design choice. (Even the documentation says that the > > SELECT privilege is needed only for the initial synchronization [1], however > > it does not tell why.) > > > > > > As an alternative to the publication privileges, I think that the CREATE > > > > SUBSCRIPTION command could grant ACL_SELECT automatically to the subscription > > > > user on the individual columns contained in the publication column list, and > > > > DROP SUBSCRIPTION would revoke that privilege. > > > > > > I think that approach is weird and unusual. Privileges and object creation > > > should be separate operations. > > > > ok. Another approach would be to skip the check for the SELECT privilege (as > > well as the check for the USAGE privilege on the corresponding schema) if > > given column is being accessed via a publication which has it on its column > > list and if the subscription user has the USAGE privilege on that publication. > > > > So far I wasn't sure if we can do that because, if pg_upgrade grants the USAGE > > privilege on all publications to the "public" role, the DBAs who relied on the > > SELECT privileges might not notice that any role having the REPLICATION > > attribute can access all the published tables after the upgrade. (pg_upgrade > > can hardly do anything else because it has no information on the "subscription > > users", so it cannot convert the SELECT privilege on tables to the USAGE > > privileges on publications.) > > > > But now that I see that the logical replication doesn't check the SELECT > > privilege properly anyway, I think we can get rid of it. > > The attached version tries to do that - as you can see in 0001, the SELECT > privilege is not required for the walsender process. > > I also added PUBLICATION_NAMES option to the COPY TO command so that the > publisher knows which publications are subject to the ACL check. Only data of > those publications are returned to the subscriber. (In the previous patch > version the ACL checks were performed on the subscriber side, but I that's not > ideal in terms of security.) > > I also added the regression tests for publications, enhanced psql (the \dRp+ > command) so that it displays the publication ACL and added a few missing > pieces of documentation. > This is v4. The patch had to be rebased due to the commit 369f09e420. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2023-01-09T09:23:32Z
On 16.12.22 17:37, Antonin Houska wrote: > This is v4. The patch had to be rebased due to the commit 369f09e420. I think what this patch set needs first of all is a comprehensive description of what it is trying to do, exactly what commands and behaviors it adds, what are some of the subtleties and corner cases, what are open issues and questions. Some of that can be pieced together from this thread, but it should really be put in one place somewhere, ideally in the commit message and/or the documentation. (The main 0002 patch does not have any documentation.) It looks like you have a lot of bases covered, but without a full description, it's difficult to tell. Some points on the details: * You can combine all five patches into one. I don't think they are meant to be applied separately. The 0001 looks like it was maybe meant to be used separately, but it's not clear. Again, the overall description would help. * There is a lot of code that is contingent on am_db_walsender. We should avoid that. In most cases, it doesn't seem necessary. Or at least document the reasons. * The term "aware" (of a publication ACL, of a relation) is used a bunch of times. That's not a technical term, and the meaning of those phrases is not clear. Make sure the documentation/comments are precise. * I don't think using SPI is warranted here. You can get the required information directly from the underlying functions. * The places the privileges are ultimately checked is too unprincipled. The 0001 patch overrides a very low-level function, but the 0002 on the other hand checks the privileges by digging through the query structures by hand instead of letting the executor do it. We need to find ways to handle that that is more consistent with what the code is currently doing instead of adding more layers to it above and below. * The misc_sanity.out test output means you need to add a TOAST table to pg_publication.
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2023-02-01T12:02:07Z
Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > On 16.12.22 17:37, Antonin Houska wrote: > > This is v4. The patch had to be rebased due to the commit 369f09e420. > > I think what this patch set needs first of all is a comprehensive description > of what it is trying to do, exactly what commands and behaviors it adds, what > are some of the subtleties and corner cases, what are open issues and > questions. Some of that can be pieced together from this thread, but it > should really be put in one place somewhere, ideally in the commit message > and/or the documentation. (The main 0002 patch does not have any > documentation.) It looks like you have a lot of bases covered, but without a > full description, it's difficult to tell. > > Some points on the details: > > * You can combine all five patches into one. I don't think they are meant to > be applied separately. The 0001 looks like it was maybe meant to be used > separately, but it's not clear. Again, the overall description would help. > > * There is a lot of code that is contingent on am_db_walsender. We should > avoid that. In most cases, it doesn't seem necessary. Or at least document > the reasons. > > * The term "aware" (of a publication ACL, of a relation) is used a bunch of > times. That's not a technical term, and the meaning of those phrases is not > clear. Make sure the documentation/comments are precise. > > * I don't think using SPI is warranted here. You can get the required > information directly from the underlying functions. > > * The places the privileges are ultimately checked is too unprincipled. The > 0001 patch overrides a very low-level function, but the 0002 on the other > hand checks the privileges by digging through the query structures by hand > instead of letting the executor do it. We need to find ways to handle that > that is more consistent with what the code is currently doing instead of > adding more layers to it above and below. > > * The misc_sanity.out test output means you need to add a TOAST table to > pg_publication. > Thanks for your review. Attached is a new version that tries to address your findings. I reworked the patch a bit, especially the handling of the PUBLICATION_NAMES of the COPY TO command, so that compatibility with older subscribers is not broken. The compatibility is actually the hardest part. 0001 only move some code into functions. I think it's better to do this kind of thing separate so that the actual changes are easier to read. The TODO comment in 0002 is related to [1]. [1] https://www.postgresql.org/message-id/3472.1675251957%40antos -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Gregory Stark (as CFM) <stark.cfm@gmail.com> — 2023-03-14T18:30:09Z
FYI this looks like it needs a rebase due to a conflict in copy.c and an offset in pgoutput.c. Is there anything specific that still needs review or do you think you've handled all Peter's concerns? In particular, is there "a comprehensive description of what it is trying to do"? :)
-
Re: Privileges on PUBLICATION
Antonin Houska <ah@cybertec.at> — 2023-03-15T07:42:10Z
Gregory Stark (as CFM) <stark.cfm@gmail.com> wrote: > FYI this looks like it needs a rebase due to a conflict in copy.c and > an offset in pgoutput.c. > > Is there anything specific that still needs review or do you think > you've handled all Peter's concerns? In particular, is there "a > comprehensive description of what it is trying to do"? :) I tried to improve the documentation and commit messages in v05. v06 (just rebased) is attached. -- Antonin Houska Web: https://www.cybertec-postgresql.com
-
Re: Privileges on PUBLICATION
Peter Eisentraut <peter.eisentraut@enterprisedb.com> — 2023-03-20T06:17:51Z
On 14.03.23 19:30, Gregory Stark (as CFM) wrote: > FYI this looks like it needs a rebase due to a conflict in copy.c and > an offset in pgoutput.c. > > Is there anything specific that still needs review or do you think > you've handled all Peter's concerns? In particular, is there "a > comprehensive description of what it is trying to do"? :) The latest versions of the patch have pretty much addressed my initial comments. The patch is structured and explained better now. Most extraneous or incomplete changes have been addressed. The problem now is that it's still a quite complicated patch that introduces a security feature. It still touches a number of subsystems on different levels of abstraction. This functionality is not of the kind, "if you don't use it it won't affect you", since it effectively pokes holes into the existing privileges checking in order to allow publication privileges checking to override it in some cases. It will take significant effort to do a complete analysis and testing on whether it is secure and robust. I don't think I will have time for that, and I don't think anyone will want to commit something like this at the last moment. We have already taken a number of things from earlier patches and committed them separately as refactorings. I don't see anything in the current patch anymore that we might want to take independently like that. So in summary I think it would be best to keep this patch around for PG17.