Quick Links

Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)

From:	Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>
To:	Noah Misch <noah(at)leadboat(dot)com>
Cc:	Jacob Champion <pchampion(at)vmware(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "robertmhaas(at)gmail(dot)com" <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "chap(at)anastigmatix(dot)net" <chap(at)anastigmatix(dot)net>, torikoshia <torikoshia(at)oss(dot)nttdata(dot)com>
Subject:	Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)
Date:	2021-06-30 01:25:31
Message-ID:	47FFE466-69CB-4C27-A832-6B516F55BA8D@enterprisedb.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Please find attached a new set of patches.

> On May 27, 2021, at 11:06 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
>
> pg_logical_replication would not be safe to delegate that way:
> https://postgr.es/m/flat/CACqFVBbx6PDq%2B%3DvHM0n78kHzn8tvOM-kGO_2q_q0zNAMT%2BTzdA%40mail.gmail.com

v3-0001 creates a pg_logical_replication role and respects privileges on tables in the table sync and apply workers. With this change, by creating a user in role pg_logical_replication, only giving that user INSERT, UPDATE, DELETE, or TRUNCATE privileges as appropriate on the intended tables, and having that user rather than a superuser create a subscription, one may prevent the replication of unwanted DML on these tables as well as the replication of any DML to any other tables.

> On Jun 14, 2021, at 5:51 AM, torikoshia <torikoshia(at)oss(dot)nttdata(dot)com> wrote:
>
> BTW, do these patches enable non-superusers to create user with
> bypassrls?

v3-0004 creates a pg_database_security role and allows users in this role to create roles with BYPASSRLS.

Attachment	Content-Type	Size
v3-0001-Add-default-role-for-managing-logical-replication.patch	application/octet-stream	27.9 KB
v3-0002-Add-default-role-for-host-security-operations.patch	application/octet-stream	22.8 KB
v3-0003-Add-default-role-for-network-security-operations.patch	application/octet-stream	30.2 KB
v3-0004-Add-default-role-for-database-operations.patch	application/octet-stream	49.5 KB

In response to

Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) at 2021-05-28 06:06:18 from Noah Misch

Responses

Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) at 2021-07-01 15:59:02 from Mark Dilger

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Noah Misch	2021-06-30 01:37:28	Re: public schema default ACL
Previous Message	Michael Paquier	2021-06-30 01:12:45	Re: Fix PITR msg for Abort Prepared