| From: | Evgeniy Efimkin <efimkin(at)yandex-team(dot)ru> |
|---|---|
| To: | Andrey Borodin <x4mmm(at)yandex-team(dot)ru> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Jeff Davis <pgsql(at)j-davis(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Дмитрий Сарафанников <dsarafan(at)yandex-team(dot)ru>, Владимир Бородин <root(at)simply(dot)name> |
| Subject: | Re: Special role for subscriptions |
| Date: | 2019-03-20 09:39:47 |
| Message-ID: | 144481553074787@vla1-9d3c37294942.qloud-c.yandex.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi!
> Currently, user with pg_subscription_users can create subscription into any system table, can't they?
> We certainly need to change it to more secure way.
No, you can't add system tables to publication. In new patch i add privileges checks on target table, non superuser can't create/refresh subscription if he don't have INSERT, UPDATE, DELETE and TRUNCATE privileges.
--------
Efimkin Evgeny
| Attachment | Content-Type | Size |
|---|---|---|
| pg_subscription_role_v2.patch | text/x-diff | 13.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Imai, Yoshikazu | 2019-03-20 09:40:34 | RE: speeding up planning with partitions |
| Previous Message | Fabien COELHO | 2019-03-20 09:38:36 | Re: Offline enabling/disabling of data checksums |