From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com>, Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Greg Stark <stark(at)mit(dot)edu>, Jeremy Schneider <schneider(at)ardentperf(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, SATYANARAYANA NARLAPURAM <satyanarlapuram(at)gmail(dot)com>, marvin_liang(at)qq(dot)com, actyzhang(at)outlook(dot)com |
Subject: | Re: pg_walinspect - a new extension to get raw WAL data and WAL stats |
Date: | 2022-03-12 03:24:12 |
Message-ID: | ff684608037760af06a332c975a3414f0c67c458.camel@j-davis.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 2022-03-10 at 15:54 -0500, Stephen Frost wrote:
> The standard is basically that all of the functions it brings are
> written to enforce the PG privilege system and you aren't able to use
> the extension to bypass those privileges. In some cases that means
> that
Every extension should follow that standard, right? If it doesn't (e.g.
creating dangerous functions and granting them to public), then even
superuser should not install it.
> the C-language functions installed have if(!superuser) ereport()
> calls
I'm curious why not rely on the grant system where possible? I thought
we were trying to get away from explicit superuser checks.
> I've not looked back on this thread, but I'd expect pg_walinspect to
> need those superuser checks and with those it *could* be marked as
> trusted, but that again brings into question how useful it is to mark
> it
> thusly.
As long as any functions are safely accessible to public or a
predefined role, there is some utility for the 'trusted' marker.
As this patch is currently written, pg_monitor has access these
functions, though I don't think that's the right privilege level at
least for pg_get_raw_wal_record().
> I certainly don't think we should allow either database owners or
> regular users on a system the ability to access the WAL traffic of
> the
> entire system.
Agreed. That was not what I intended by asking if it should be marked
'trusted'. The marker only allows the non-superuser to run the CREATE
EXTENSION command; it's up to the extension script to decide whether
any non-superusers can do anything at all with the extension.
> More forcefully- we should *not* be throwing more access
> rights towards $owners in general and should be thinking about how we
> can allow admins, providers, whomever, the ability to control what
> rights users are given. If they're all lumped under 'owner' then
> there's no way for people to provide granular access to just those
> things they wish and intend to.
Not sure I understand, but that sounds like a larger discussion.
Regards,
Jeff Davis
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2022-03-12 03:53:47 | Re: support for MERGE |
Previous Message | Paul Jungwirth | 2022-03-12 03:18:50 | Re: range_agg with multirange inputs |