Re: First draft of the PG 15 release notes

On Tue, May 10, 2022 at 03:12:18PM -0700, Mark Dilger wrote:
>
>
> > On May 10, 2022, at 8:44 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> >
> > I have completed the first draft of the PG 15 release notes and you can
> > see the results here
>
>
> Thanks, Bruce! This release note:
>
> • Prevent logical replication into tables where the subscription owner is subject to the table's row-level security policies (Mark Dilger)
>
> ... should mention, independent of any RLS considerations, subscriptions are now applied under the privilege of the subscription owner. I don't think we can fit it in the release note, but the basic idea is that:
>
> CREATE SUBSCRIPTION ... CONNECTION '...' PUBLICATION ... WITH (enabled = false);
> ALTER SUBSCRIPTION ... OWNER TO nonsuperuser_whoever;
> ALTER SUBSCRIPTION ... ENABLE;
>
> can be used to replicate a subscription without sync or apply workers operating as superuser. That's the main advantage. Previously, subscriptions always ran with superuser privilege, which creates security concerns if the publisher is malicious (or foolish). Avoiding any unintentional bypassing of RLS was just a necessary detail to close the security loophole, not the main point of the security enhancement.

Oh, interesting. New text:

<!--
Author: Jeff Davis <jdavis(at)postgresql(dot)org>
2022-01-07 [a2ab9c06e] Respect permissions within logical replication.
-->

<listitem>
<para>
Allow logical replication to run as the owner of the publication (Mark Dilger)
</para>

<para>
Because row-level security policies are not checked, only
superusers, roles with bypassrls, and table owners can replicate
into tables with row-level security policies.
</para>
</listitem>

How is this?

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Indecision is a decision. Inaction is an action. Mark Batterson