Re: Skipping logical replication transactions on subscriber side

On Fri, Jan 21, 2022 at 8:39 AM Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com> wrote:
>
> On Fri, Jan 21, 2022 at 1:18 AM Peter Eisentraut
> <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
> >
> > I think the superuser check in AlterSubscription() might no longer be
> > appropriate. Subscriptions can now be owned by non-superusers. Please
> > check that.
>
> IIUC we don't allow non-superuser to own the subscription yet. We
> still have the following superuser checks:
>
> In CreateSubscription():
>
> if (!superuser())
> ereport(ERROR,
> (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> errmsg("must be superuser to create subscriptions")));
>
> and in AlterSubscriptionOwner_internal();
>
> /* New owner must be a superuser */
> if (!superuser_arg(newOwnerId))
> ereport(ERROR,
> (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> errmsg("permission denied to change owner of
> subscription \"%s\"",
> NameStr(form->subname)),
> errhint("The owner of a subscription must be a superuser.")));
>
> Also, doing superuser check here seems to be consistent with
> pg_replication_origin_advance() which is another way to skip
> transactions and also requires superuser permission.
>

+1. I think this feature has the potential to make data inconsistent
and only be used as a last resort to resolve the conflicts so it is
better to allow this as a superuser.

--
With Regards,
Amit Kapila.