Re: logical replication access control patches

On 14/03/17 20:09, Robert Haas wrote:
> On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek
> <petr(dot)jelinek(at)2ndquadrant(dot)com> wrote:
>> Note that I am not necessarily saying it's better though, just trying to
>> explain. It definitely has drawbacks, as in order to grant publish on
>> one table you might be granting lots of privileges on various objects by
>> granting the role. So for granularity purposes Peter's PUBLISH privilege
>> for tables sounds better to me.
>
> I get that. If, without the patch, letting user X do operation Y will
> require either giving user X membership in a role that has many
> privileges, and with the patch, will require only granting a specific
> privilege on a specific object, then the latter is obviously far
> better from a security point of view.
>
> However, what I'm not clear about is whether this is a situation
> that's likely to come up much in practice. I would have thought that
> publications and subscriptions would typically be configured by roles
> with quite high levels of privilege anyway, in which case the separate
> PUBLISH privilege would rarely be used in practice, and might
> therefore fail to be worth using up a bit. I might be missing a
> plausible scenario in which that's not the case, though.
>

Yeah that's rather hard to say in front. Maybe safest action would be to
give the permission to owners in 10 and revisit special privilege in 11
based on feedback?

--
Petr Jelinek http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services