Re: postgres_fdw super user checks

On Thu, Oct 5, 2017 at 1:02 PM, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> I don't see a reason to block a directly-logged-in superuser from using a
> mapping. I asked in the closed list whether the current (released)
> behavior was a security bug, and the answer was no. And I don't know why
> else to block superusers from doing something other than as a security bug.
> Also it would create a backwards compatibility hazard to revoke the ability
> now.

Well, my thought was that we ought to be consistent about whose
authorization matters. If we're using the view owner's credentials in
general, then we also (defensibly, anyway) ought to use the view
owner's superuser-ness to decide whether to enforce this restriction.
Using either the view owner's superuser-ness or the session user's
superuser-ness kind of puts you halfway in the middle. The view
owner's rights are what matters mostly, but your own rights also
matter a little bit around the edges. That's a little strange.

I don't have violently strong opinions about this - does anyone else
have a view?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company