Re: Non-superuser subscription owners
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Mark Dilger <mark.dilger@enterprisedb.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-11-01T14:18:24Z
Lists: pgsql-hackers
On 10/20/21 14:40, Mark Dilger wrote: > These patches have been split off the now deprecated monolithic "Delegating superuser tasks to new security roles" thread at [1]. > > The purpose of these patches is to allow non-superuser subscription owners without risk of them overwriting tables they lack privilege to write directly. This both allows subscriptions to be managed by non-superusers, and protects servers with subscriptions from malicious activity on the publisher side. > > [1] https://www.postgresql.org/message-id/flat/F9408A5A-B20B-42D2-9E7F-49CD3D1547BC%40enterprisedb.com These patches look good on their face. The code changes are very straightforward. w.r.t. this: + On the subscriber, the subscription owner's privileges are re-checked for + each change record when applied, but beware that a change of ownership for a + subscription may not be noticed immediately by the replication workers. + Changes made on the publisher may be applied on the subscriber as + the old owner. In such cases, the old owner's privileges will be the ones + that matter. Worse still, it may be hard to predict when replication + workers will notice the new ownership. Subscriptions created disabled and + only enabled after ownership has been changed will not be subject to this + race condition. maybe we should disable the subscription before making such a change and then re-enable it? cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited