Re: running logical replication as the subscription owner
Jelte Fennema <postgres@jeltef.nl>
From: Jelte Fennema <postgres@jeltef.nl>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>,
Jeff Davis <pgsql@j-davis.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
Andres Freund <andres@anarazel.de>, Noah Misch <noah@leadboat.com>
Date: 2023-03-28T18:53:36Z
Lists: pgsql-hackers
On Tue, 28 Mar 2023 at 18:13, Robert Haas <robertmhaas@gmail.com> wrote: > > On Mon, Mar 27, 2023 at 6:08 PM Jelte Fennema <postgres@jeltef.nl> wrote: > > For high privileged subscription owners, > > we downgrade to the permissions of the table owner, but for low > > privileged ones we care about permissions of the subscription owner > > itself. > > Hmm. This is an interesting idea. A variant on this theme could be: > what if we made this an explicit configuration option? Sounds perfect to me. Let's do that. As long as the old no-superuser tests continue to pass when disabling the new switch-to-table-owner behaviour, that sounds totally fine to me. I think it's probably easiest if you use the tests from my v2 patch when you add that option, since that was by far the thing I spent most time on to get right in the v2 patch. On Tue, 28 Mar 2023 at 18:13, Robert Haas <robertmhaas@gmail.com> wrote: > > On Mon, Mar 27, 2023 at 6:08 PM Jelte Fennema <postgres@jeltef.nl> wrote: > > Attached is an updated version of your patch with what I had in mind > > (admittedly it needed one more line than "just" the return to make it > > work). But as you can see all previous tests for a lowly privileged > > subscription owner that **cannot** SET ROLE to the table owner > > continue to work as they did before. While still downgrading to the > > table owners role when the subscription owner **can** SET ROLE to the > > table owner. > > > > Obviously this needs some comments explaining what's going on and > > probably some code refactoring and/or variable renaming, but I hope > > it's clear what I meant now: For high privileged subscription owners, > > we downgrade to the permissions of the table owner, but for low > > privileged ones we care about permissions of the subscription owner > > itself. > > Hmm. This is an interesting idea. A variant on this theme could be: > what if we made this an explicit configuration option? > > I'm worried that if we just try to switch users and silently fall back > to not doing so when we don't have enough permissions, the resulting > behavior is going to be difficult to understand and troubleshoot. I'm > thinking that maybe if you let people pick the behavior they want that > becomes more comprehensible. It's also a nice insurance policy: say > for the sake of argument we make switch-to-table-owner the new > default. If that new behavior causes something to happen to somebody > that they don't like, they can always turn it off, even if they are a > highly privileged user who doesn't "need" to turn it off. > > -- > Robert Haas > EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Honor run_as_owner option in tablesync worker.
- a83edeaf684a 16.0 landed
-
Document new pg_subscription columns.
- bc25d6c54a00 16.0 landed
-
Add a run_as_owner option to subscriptions.
- 482675987bcd 16.0 landed
-
Perform logical replication actions as the table owner.
- 1e10d49b65d6 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 cited
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 cited
-
Empty search_path in logical replication apply worker and walsender.
- 11da97024abb 14.0 cited
-
Empty search_path in Autovacuum and non-psql/pgbench clients.
- 582edc369cdb 11.0 cited