Re: Non-superuser subscription owners
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jacob Champion <jchampion@timescale.com>
Cc: Andres Freund <andres@anarazel.de>,
Mark Dilger <mark.dilger@enterprisedb.com>, Jeff Davis <pgsql@j-davis.com>, Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-01-24T13:50:42Z
Lists: pgsql-hackers
On Mon, Jan 23, 2023 at 7:24 PM Jacob Champion <jchampion@timescale.com> wrote: > > The password requirement just *barely* prevents that attack from > > working, almost, maybe, while at the same time managing to block > > things that people want to do for totally legitimate reasons. But > > IMHO, the real problem is that combining those two things is extremely > > dangerous. > > I don't disagree. I'm worried that the unspoken conclusion being > presented is "it's such an obvious problem that we should just leave it > to the DBAs," which I very much disagree with, but I may be reading too > much into it. To be honest, that was my first instinct here, but I see the problems better now than I did at the beginning of this discussion. > Expanding on my previous comment, you could give the client a way to say > "I am a proxy, and I'm connecting on behalf of this user, and here are > both my credentials and their credentials. So if you were planning to, > say, authorize me as superuser based on my IP address... maybe don't do > that?" > > (You can sort of implement this today, by giving the proxy a client > certificate for transport authn, having it provide the in-band authn for > the user, and requiring both at the server. It's not very flexible.) > > I think this has potential overlap with Magnus' PROXY proposal [1], and > also the case where we want pgbouncer to authenticate itself and then > perform actions on behalf of someone else [2], and maybe SASL's authzid > concept. I don't think one solution will hit all of the desired use > cases, but there are directions that can be investigated. I think this has some potential, but it's pretty complex, seeming to require protocol extensions and having backward-compatibility problems and so on. What do you think about something in the spirit of a reverse-pg_hba.conf? The idea being that PostgreSQL facilities that make outbound connections are supposed to ask it whether those connections are OK to initiate. Then you could have a default configuration that basically says "don't allow loopback connections" or "require passwords all the time" or whatever we like, and the DBA can change that as desired. We could teach dblink, postgres_fdw, and CREATE SUBSCRIPTION to use this new thing, and third-party code could adopt it if it likes. Even if we do that, some kind of proxy protocol support might be very desirable. I'm not against that. But I think that DBAs need better control over what kind of outbound connections they want to permit, too. > For the hypothetical logon trigger, or any case where the server does > something on behalf of a user upon connection, I agree it doesn't help you. I don't think the logon trigger thing is all *that* hypothetical. We don't have it yet, but there have been patches proposed repeatedly for many years. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited