Re: postgres_fdw super user checks

From: Jeff Janes <jeff(dot)janes(at)gmail(dot)com>
To: Andreas Karlsson <andreas(at)proxel(dot)se>
Cc: Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: postgres_fdw super user checks
Date: 2017-09-14 18:33:53
Message-ID: CAMkU=1yS4HVTyP7VN-XaGY8wio05REVF0_27cxNCTSN4w4dw7w@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers

On Tue, Sep 12, 2017 at 1:13 AM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:

> On 07/27/2017 09:45 PM, Jeff Janes wrote:> Here is an updated patch. This
> version allows you use the password-less
>
>> connection if you either are the super-user directly (which is the
>> existing committed behavior), or if you are using the super-user's mapping
>> because you are querying a super-user-owned view which you have been
>> granted access to.
>>
>
> I have tested the patch and it passes the tests and works, and the code
> looks good (I have a small nitpick below).
>
> The feature seems useful, especially for people who already use views for
> security, so the question is if this is a potential footgun. I am leaning
> towards no since the superuser should be careful when grant access to is
> views anyway.
>
> It would have been nice if there was a more generic way to handle this
> since 1) the security issue is not unique to postgres_fdw and 2) this
> requires you to create a view. But since the patch is simple, an
> improvement in itself and does not prevent any future further improvements
> in this era I see no reason to let perfect be the enemy of good.
>

Thanks for the review.

I think that foreign tables ought to behave as views do, where they run as
the owner rather than the invoker. No one has talked me out of it, but no
one has supported me on it either. But I think it is too late to change
that now. Wrapping it in a view is not hard, but it sure clutters up a
schema. I don't think this can be made too generic, because each database
has a quite different security model, so the solution will be much
different.

Attached is a new patch which fixes the style issue you mentioned.

Cheers,

Jeff

Attachment Content-Type Size
postgres_fdw_superuser_v3.patch application/octet-stream 3.1 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2017-09-14 18:39:34 Re: Clarification in pg10's pgupgrade.html step 10 (upgrading standby servers)
Previous Message Magnus Hagander 2017-09-14 18:30:20 Re: pg_basebackup behavior on non-existent slot