Re: Special role for subscriptions

> 20 марта 2019 г., в 21:46, Robert Haas <robertmhaas(at)gmail(dot)com> написал(а):
>
> On Wed, Mar 20, 2019 at 5:39 AM Evgeniy Efimkin <efimkin(at)yandex-team(dot)ru> wrote:
>> Hi!
>>> Currently, user with pg_subscription_users can create subscription into any system table, can't they?
>>> We certainly need to change it to more secure way.
>> No, you can't add system tables to publication. In new patch i add privileges checks on target table, non superuser can't create/refresh subscription if he don't have INSERT, UPDATE, DELETE and TRUNCATE privileges.
>
> ....
>
> I think we should view this permission as "you can create
> subscriptions, plain and simple".

That sounds good.
From my POV, the purpose of the patch is to allow users to transfer their database via logical replication. Without superuser privileges (e.g. to the managed cloud with vanilla postgres).

But the role effectively allows inserts to any table, this can be escalated to superuser. What is the best way to deal with it?

Best regards, Andrey Borodin.