Re: Permission select pg_stat_replication

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Payal Singh <payal(at)omniti(dot)com>
Cc: jesse(dot)waters(at)gmail(dot)com, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Permission select pg_stat_replication
Date: 2015-04-01 00:34:34
Message-ID: 20150401003434.GM3663@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-hackers

Payal,

This doesn't actually do what you appear to think it does..

* Payal Singh (payal(at)omniti(dot)com) wrote:
> As an adhoc solution on 9.2, you can do something like this:
>
> 1. Create a function that extracts all from pg_stat_replication:
>
> create or replace function pg_stat_repl() returns setof
> pg_catalog.pg_stat_replication as $$begin return query(select * from
> pg_catalog.pg_stat_replication); end$$ language plpgsql security definer;

This function is now available to be used by all users on the system.
Should you revoke EXECUTE rights on this function from PUBLIC, the view
you build on top of it will no longer work for users who have access to
it.

Functions in view definitions are run with the privileges of the user
selecting against the view, *not* the owner of the view. Privilege
checks for *tables* referenced in views is done as the owner of the
view.

> 2. Create a view that uses this function to get data in it:
>
> create view public.pg_stat_repl as select * from pg_stat_repl();

Even if this actually worked (which it doesn't, see above), I suspect
you'd have to mark this a security barrier view.

> After this, you can do a select on this view to get the required
> information. You can do this for other pg_catalog functions as well.
> Reference -
> https://github.com/xzilla/secure_check_postgres/blob/master/sql/pg_stat_activity.sql

What you link to here is better- it revokes access both to the function
and to the view. Both would have to then be granted specifically to the
monitor user. What sucks about all of this, of course, is that the
monitoring code has already been written and there isn't a standard set
of functions/views like this in core for it to depend on.

The approach I'm going for is to remove the hard-coded checks and
re-implement them at the SQL level, allowing administrators to grant
access to the base functions for monitoring users and then have the
monitoring systems updated to use those functions instead.

This makes more sense, to me at least, than duplicating everything or
having wrapper functions which do the check and are the "secured"
version and then functions also exposed at the SQL level which are
"unsecured" and then have privileges to them REVOKE'd.

I'm certainly interested in other thoughts on this though and there is a
thread over on -hackers about it, which is where further discussion on
this belongs.

Thanks!

Stephen

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Stephen Frost 2015-04-01 00:35:26 Re: Permission select pg_stat_replication
Previous Message Guillaume Lelarge 2015-03-31 21:03:55 Re: Catalog permissions

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2015-04-01 00:35:26 Re: Permission select pg_stat_replication
Previous Message Michael Paquier 2015-04-01 00:04:46 Re: Exposing PG_VERSION_NUM in pg_config