Re: On login trigger: take three

Pavel Stehule <pavel.stehule@gmail.com>

From: Pavel Stehule <pavel.stehule@gmail.com>
To: Konstantin Knizhnik <k.knizhnik@postgrespro.ru>
Cc: Greg Nancarrow <gregn4422@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2020-12-11T16:27:27Z
Lists: pgsql-hackers
pá 11. 12. 2020 v 17:05 odesílatel Konstantin Knizhnik <
k.knizhnik@postgrespro.ru> napsal:

>
>
> On 11.12.2020 18:40, Pavel Stehule wrote:
>
>
> is not correct. It makes it not possible to superuser to disable triggers
>> for all users.
>>
>
> pg_database_ownercheck returns true for superuser always.
>
>
> Sorry, but I consider different case: when normal user is connected to the
> database.
> In this case pg_database_ownercheck returns false and trigger is not
> disabled, isn't it?
>

My idea was to reduce necessary rights to database owners.  But you have a
true, so only superuser can create event trigger, so this feature cannot be
used in DBaaS environments, and then my original idea was wrong.


>
> Also GUCs are not associated with any database. So I do not understand
>> why  this check of database ownership is relevant at all?
>>
>> What kind of protection violation we want to prevent?
>>
>> It seems to be obvious that normal user should not be able to prevent
>> trigger execution because this triggers may be used to enforce some
>> security policies.
>> If trigger was created by user itself, then it can drop or disable it
>> using ALTER statement. GUC is not needed for it.
>>
>
> when you cannot connect to the database, then you cannot do ALTER. In
> DBaaS environments lot of users has not superuser rights.
>
>
>
> But only superusers can set login triggers, right?
> So only superuser can make a mistake in this trigger. But he have enough
> rights to recover this error. Normal users are not able to define on
> connection triggers and
> should not have rights to disable them.
>

yes, it is true

Pavel


> --
> Konstantin Knizhnik
> Postgres Professional: http://www.postgrespro.com
> The Russian Postgres Company
>
>

Commits

  1. Fix some typos in event trigger docs

  2. Use heap_inplace_update() to unset pg_database.dathasloginevt

  3. Remove the flaky check in event_trigger_login regression test

  4. Fix instable 006_login_trigger.pl test

  5. Add support event triggers on authenticated login

  6. Add GUC for temporarily disabling event triggers

  7. Fix typo in reference to __FreeBSD__.

  8. Restore robustness of TAP tests that wait for postmaster restart.

  9. Restore the portal-level snapshot after procedure COMMIT/ROLLBACK.