Re: On login trigger: take three

Konstantin Knizhnik <k.knizhnik@postgrespro.ru>

From: Konstantin Knizhnik <k.knizhnik@postgrespro.ru>
To: Pavel Stehule <pavel.stehule@gmail.com>
Cc: Greg Nancarrow <gregn4422@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2020-12-15T13:12:40Z
Lists: pgsql-hackers

On 11.12.2020 19:27, Pavel Stehule wrote:
>
>
> pá 11. 12. 2020 v 17:05 odesílatel Konstantin Knizhnik 
> <k.knizhnik@postgrespro.ru <mailto:k.knizhnik@postgrespro.ru>> napsal:
>
>
>
>     On 11.12.2020 18:40, Pavel Stehule wrote:
>>
>>         is not correct. It makes it not possible to superuser to
>>         disable triggers for all users.
>>
>>
>>     pg_database_ownercheck returns true for superuser always.
>
>     Sorry, but I consider different case: when normal user is
>     connected to the database.
>     In this case pg_database_ownercheck returns false and trigger is
>     not disabled, isn't it?
>
>
> My idea was to reduce necessary rights to database owners.  But you 
> have a true, so only superuser can create event trigger, so this 
> feature cannot be used in DBaaS environments, and then my original 
> idea was wrong.
>
>
>>
>>         Also GUCs are not associated with any database. So I do not
>>         understand why  this check of database ownership is relevant
>>         at all?
>>
>>         What kind of protection violation we want to prevent?
>>
>>         It seems to be obvious that normal user should not be able to
>>         prevent trigger execution because this triggers may be used
>>         to enforce some security policies.
>>         If trigger was created by user itself, then it can drop or
>>         disable it using ALTER statement. GUC is not needed for it.
>>
>>
>>     when you cannot connect to the database, then you cannot do
>>     ALTER. In DBaaS environments lot of users has not superuser rights.
>
>
>     But only superusers can set login triggers, right?
>     So only superuser can make a mistake in this trigger. But he have
>     enough rights to recover this error. Normal users are not able to
>     define on connection triggers and
>     should not have rights to disable them.
>
>
> yes, it is true
>
> Pavel
>
>
>     -- 
>     Konstantin Knizhnik
>     Postgres Professional:http://www.postgrespro.com
>     The Russian Postgres Company
>

So what's next?
I see three options:

1. Do not introduce GUC for disabling all event triggers (especially 
taken in account that them are  disabled by default).
Return back to the patch 
on_connect_event_trigger_WITH_SUGGESTED_UPDATES.patch with 
"disable_client_connection_trigger"
and make it true by default (to eliminate any overhead for users which 
are not using on logintriggers).

2. Have two GUCS: "disable_client_connection_trigger" and 
"disable_event_triggers".

3. Implement some mechanism for caching presence of event triggers in 
shared memory.


-- 
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company

Commits

  1. Fix some typos in event trigger docs

  2. Use heap_inplace_update() to unset pg_database.dathasloginevt

  3. Remove the flaky check in event_trigger_login regression test

  4. Fix instable 006_login_trigger.pl test

  5. Add support event triggers on authenticated login

  6. Add GUC for temporarily disabling event triggers

  7. Fix typo in reference to __FreeBSD__.

  8. Restore robustness of TAP tests that wait for postmaster restart.

  9. Restore the portal-level snapshot after procedure COMMIT/ROLLBACK.