Re: Non-superuser subscription owners
Mark Dilger <mark.dilger@enterprisedb.com>
From: Mark Dilger <mark.dilger@enterprisedb.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Andres Freund <andres@anarazel.de>,
Jeff Davis <pgsql@j-davis.com>,
Amit Kapila <amit.kapila16@gmail.com>,
Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-02-01T17:22:31Z
Lists: pgsql-hackers
> On Feb 1, 2023, at 6:43 AM, Robert Haas <robertmhaas@gmail.com> wrote: > The thing I'm > struggling to understand is: if you only want to replicate into tables > that Alice can write, why not just make Alice own the subscription? > For a run-as user to make sense, you need a scenario where we want the > replication to target only tables that Alice can touch, but we also > don't want Alice herself to be able to touch the subscription, so you > make Alice the run-as user and yourself the owner, or something like > that. But I'm not sure what that scenario is exactly. This "run-as" idea came about because we didn't want arbitrary roles to be able to change the subscription's connection string. A competing idea was to have a server object rather than a string, with roles like Alice being able to use the server object if they have been granted usage privilege, and not otherwise. So the "run-as" and "server" ideas were somewhat competing. > Mark was postulating a scenario where the publisher and subscriber > don't trust each other. I was thinking a little bit more about that. I > still maintain that the current system is poorly set up to make that > work, but suppose we wanted to do better. We could add filtering on > the subscriber side, like you list schemas or specific relations that > you are or are not willing to replicate into. Then you could, for > example, connect your subscription to a certain remote publication, > but with the restriction that you're only willing to replicate into > the "headquarters" schema. Then we'll replicate whatever tables they > send us, but if the dorks at headquarters mess up the publications on > their end (intentionally or otherwise) and add some tables from the > "locally_controlled_stuff" schema, we'll refuse to replicate that into > our eponymous schema. That example is good, though I don't see how "filters" are better than roles+privileges. Care to elaborate? — Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited