Re: running logical replication as the subscription owner
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Noah Misch <noah@leadboat.com>, Robert Haas <robertmhaas@gmail.com>
Cc: Jelte Fennema <postgres@jeltef.nl>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, Andres Freund <andres@anarazel.de>
Date: 2023-04-03T19:05:29Z
Lists: pgsql-hackers
On Sun, 2023-04-02 at 20:21 -0700, Noah Misch wrote: > The most-plausible-to-me attack involves an ENABLE ALWAYS trigger > that logs > CURRENT_USER to an audit table. How does requiring that the subscription owner have SET ROLE privileges on the table owner help that case? As Robert pointed out, users coming from v15 will have superuser subscription owners anyway, so the change will be silent for them. We need support to apply changes as the table owner, and we need that to be the default; and this patch provides those things, and almost all users of logical replication will be better off after this is committed. The small number of users for whom this new model is not good still need the right documentation in front of them to understand the consequences, so that they can opt out one way or another (as 0002 offers). Release notes are probably the most powerful tool we have for notifying users, unfortunately. Requiring SET ROLE for users that are almost certainly superusers doesn't give an opportunity to educate people about the change in behavior. As I said before, I'm fine with requiring that the subscription owner can SET ROLE to the table owner for v16. It's the most conservative choice and the most "correct" (in that no lesser privilege we have today is a perfect match). But I feel like we can do better in version 17 when we have time to actually work through common use cases and the exceptional cases and weight them appropriately. Like, how common is it to want to get the user from a trigger on the subscriber side? Should that trigger be using SESSION_USER instead of CURRENT_USER? Security is best when it takes into account what people actually want to do and makes it easy to do that securely. Regards, Jeff Davis
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Honor run_as_owner option in tablesync worker.
- a83edeaf684a 16.0 landed
-
Document new pg_subscription columns.
- bc25d6c54a00 16.0 landed
-
Add a run_as_owner option to subscriptions.
- 482675987bcd 16.0 landed
-
Perform logical replication actions as the table owner.
- 1e10d49b65d6 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 cited
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 cited
-
Empty search_path in logical replication apply worker and walsender.
- 11da97024abb 14.0 cited
-
Empty search_path in Autovacuum and non-psql/pgbench clients.
- 582edc369cdb 11.0 cited