Re: running logical replication as the subscription owner
Masahiko Sawada <sawada.mshk@gmail.com>
From: Masahiko Sawada <sawada.mshk@gmail.com>
To: Amit Kapila <amit.kapila16@gmail.com>
Cc: Ajin Cherian <itsajin@gmail.com>, Robert Haas <robertmhaas@gmail.com>, Noah Misch <noah@leadboat.com>, Jeff Davis <pgsql@j-davis.com>, Jelte Fennema <postgres@jeltef.nl>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
Andres Freund <andres@anarazel.de>
Date: 2023-05-25T07:02:50Z
Lists: pgsql-hackers
On Tue, May 23, 2023 at 8:21 PM Amit Kapila <amit.kapila16@gmail.com> wrote: > > On Mon, May 22, 2023 at 6:06 PM Masahiko Sawada <sawada.mshk@gmail.com> wrote: > > > > Thank you for updating the patch! Here are review comments: > > > > + /* > > + * Make sure that the copy command runs as the table owner, unless > > + * the user has opted out of that behaviour. > > + */ > > + run_as_owner = MySubscription->runasowner; > > + if (!run_as_owner) > > + SwitchToUntrustedUser(rel->rd_rel->relowner, &ucxt); > > + > > /* Now do the initial data copy */ > > PushActiveSnapshot(GetTransactionSnapshot()); > > > > I think we should switch users before the acl check in > > LogicalRepSyncTableStart(). > > > > Agreed, we should check acl with the user that is going to perform > operations on the target table. BTW, is it okay to perform an > operation on the system table with the changed user as that would be > possible with your suggestion (see replorigin_create())? Do you see any problem in particular? As per the documentation, pg_replication_origin_create() is only allowed to the superuser by default, but in CreateSubscription() a non-superuser (who has pg_create_subscription privilege) can call replorigin_create(). OTOH, we don't necessarily need to switch to the table owner user for checking ACL and RLS. We can just pass either table owner OID or subscription owner OID to pg_class_aclcheck() and check_enable_rls() without actually switching the user. > > > > > While this approach works, I'm not sure we really need a trigger for > > this test. I've attached a patch for discussion that doesn't use > > triggers for the regression tests. We create a new subscription owned > > by a user who doesn't have the permission to the target table. The > > test passes only if run_as_owner = true works. > > > > Why in the test do you need to give additional permissions to > regress_admin2 when the actual operation has to be performed by the > table owner? Good point. We need to give the ability to SET ROLE to regress_admin2 but other permissions are unnecessary. > > +# Because the initial data sync is working as the table owner, all > +# dat should be copied. > > Typo. /dat/data Will fix. Regards, -- Masahiko Sawada Amazon Web Services: https://aws.amazon.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Honor run_as_owner option in tablesync worker.
- a83edeaf684a 16.0 landed
-
Document new pg_subscription columns.
- bc25d6c54a00 16.0 landed
-
Add a run_as_owner option to subscriptions.
- 482675987bcd 16.0 landed
-
Perform logical replication actions as the table owner.
- 1e10d49b65d6 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 cited
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 cited
-
Empty search_path in logical replication apply worker and walsender.
- 11da97024abb 14.0 cited
-
Empty search_path in Autovacuum and non-psql/pgbench clients.
- 582edc369cdb 11.0 cited