| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Petr Jelinek <petr(dot)jelinek(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: logical replication access control patches |
| Date: | 2017-04-06 17:30:53 |
| Message-ID: | fcb2e71d-30fc-ec6b-70b9-7416b112803d@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 3/29/17 19:01, Petr Jelinek wrote:
>> So this CREATE SUBSCRIPTION priv actually gives you the power to cause
>> the system to open network connections to the outside world. It's not
>> something you give freely to random strangers -- should be guarded
>> moderately tight, because it could be used as covert channel for data
>> leaking. However, it's 1000x better than requiring superuser for
>> subscription creation, so +1 for the current approach.
>>
> Plus on the other hand you might want to allow somebody to stream data
> from another server but not necessarily allow said person to create new
> objects in the database which standard CREATE privilege would allow. So
> I think it makes sense to push this approach.
One new concern I just thought about is that having GRANT whatever ON
DATABASE would allow a database owner to assign these privileges, but a
database owner is not necessarily someone highly privileged to make this
decision.
So I'm prepared to set this patch to returned with feedback for now.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2017-04-06 17:38:41 | Re: logical replication apply to run with sync commit off by default |
| Previous Message | Tom Lane | 2017-04-06 17:27:25 | Re: Postgresql10 Bug report. (pg_catalog.pg_statistic_ext does not exist) |