Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jacob Champion <jchampion@timescale.com>
Cc: Andres Freund <andres@anarazel.de>,
Mark Dilger <mark.dilger@enterprisedb.com>, Jeff Davis <pgsql@j-davis.com>, Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-01-27T21:08:38Z
Lists: pgsql-hackers
On Wed, Jan 25, 2023 at 6:22 PM Jacob Champion <jchampion@timescale.com> wrote: > Sure: Ambient authority [1] means that something is granted access based > on some aspect of its existence that it can't remove (or even > necessarily enumerate). Up above, when you said "I cannot choose not to > be myself," that's a clear marker that ambient authority is involved. > Examples of ambient authn/z factors might include an originating IP > address, the user ID of a connected peer process, the use of a loopback > interface, a GPS location, and so on. So 'peer' and 'ident' are ambient > authentication methods. OK. > 1) Forwarding the original ambient context along with the request, so > the server can check it too. Right, so a protocol extension. Reasonable idea, but a big lift. Not only do you need everyone to be running a new enough version of PostgreSQL, but existing proxies like pgpool and pgbouncer need updates, too. > 2) Explicitly combining the request with the proof of authority needed > to make it, as in capability-based security [3]. As far as I can see, that link doesn't address how you'd make this approach work across a network. > 3) Dropping as many implicitly-held privileges as possible before making > a request. This doesn't solve the problem but may considerably reduce > the practical attack surface. Right. I definitely don't object to this kind of approach, but I don't think it can ever be sufficient by itself. > > e.g. > > > > all all all local all all - deny # block access through UNIX sockets > > all all all 127.0.0.0/8 all all - deny # block loopback interface via IPv4 > > > > Or: > > > > postgres_fdw all all all all all authentication=cleartext,md5,sasl > > allow # allow postgres_fdw with password-ish authentication > > I think this style focuses on absolute configuration flexibility at the > expense of usability. It obfuscates the common use cases. (I have the > exact same complaint about our HBA and ident configs, so I may be > fighting uphill.) That's probably somewhat true, but on the other hand, it also is more powerful than what you're describing. In your system, is there some way the DBA can say "hey, you can connect to any of the machines on this list of subnets, but nothing else"? Or equally, "hey, you may NOT connect to any machine on this list of subnets, but anything else is fine"? Or "you can connect to these subnets without SSL, but if you want to talk to anything else, you need to use SSL"? I would feel a bit bad saying that those are just use cases we don't care about. Most people likely wouldn't use that kind of flexibility, so maybe it doesn't really matter, but it seems kind of nice to have. Your idea seems to rely on us being able to identify all of the policies that a user is likely to want and give names to each one, and I don't feel very confident that that's realistic. But maybe I'm misinterpreting your idea? -- Robert Haas EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited