Re: logical replication access control patches

Peter Eisentraut wrote:
> On 3/15/17 21:54, Peter Eisentraut wrote:

> > 0004 Add subscription apply worker privilege checks
> > 0005 Add CREATE SUBSCRIPTION privilege on databases
>
> It would be nice to reach a conclusion on these (the second one
> particularly), because otherwise we'll be stuck with only superusers
> being allowed to create subscriptions.

I note that the CREATE privilege on databases, which previously only
enabled schema creation, now also allows to create publications. I
wonder what is different about subscriptions that we need a separate
CREATE SUBSCRIPTION privilege; could we allow the three things under the
same privilege type? (I suspect not; why give logical replication
controls to users who in previous releases were only able to create
schemas?) If not, does it make sense to have one privilege for both new
things, perhaps something like GRANT LOGICAL REPLICATION THINGIES? If
not, maybe we should have three separate priv bits: GRANT CREATE for
schemas, GRANT CREATE PUBLICATION and GRANT CREATE SUBSCRIPTION?

So this CREATE SUBSCRIPTION priv actually gives you the power to cause
the system to open network connections to the outside world. It's not
something you give freely to random strangers -- should be guarded
moderately tight, because it could be used as covert channel for data
leaking. However, it's 1000x better than requiring superuser for
subscription creation, so +1 for the current approach.

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services