logical replication access control patches

From: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
To: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: logical replication access control patches
Date: 2017-02-17 23:24:12
Message-ID: 7a33990f-75b1-5a4f-e7c0-223e15b84c11@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Here is a patch set to refine various access control settings in logical
replication. Currently, you need to be replication or superuser for
most things, and the goal of these patches is to allow ordinary users
equipped with explicit privileges to do most things. (Btw., current
documentation is here:
https://www.postgresql.org/docs/devel/static/logical-replication-security.html)

0001 Refine rules for altering publication owner

No conceptual changes here, just some fixes to allow altering
publication owner in more cases.

0002 Add PUBLICATION privilege

Add a new privilege kind to tables to determine whether they can be
added to a publication.

0003 Add USAGE privilege for publications

This controls whether a subscription can use the publication.

There is an open issue with this patch: Since the walsender reads
system catalogs according to what it is currently streaming, you can't
grant this privilege after a subscription has already tried to connect
and failed, because the grant will only appear in the "future" of the
stream. (You can drop and recreate the subscription, as the test
shows.) This might need some snapshot trickery around the aclcheck call.

0004 Add CREATE SUBSCRIPTION privilege on databases

New privilege to allow creating a subscription, currently restricted to
superuser.

(We could also add a CREATE PUBLICATION privilege for symmetry.
Currently, publications use the CREATE privilege that schemas also use.)

0005 Add subscription apply worker privilege checks

Makes apply workers check privileges on tables before writing to them.
Currently, all subscription owners are superuser, but 0004 proposes to
change that.

0006 Change logical replication pg_hba.conf use

No longer use the "replication" keyword in pg_hba.conf for logical
replication. Use the normal database entries instead.

Relates to
https://www.postgresql.org/message-id/flat/CAB7nPqRf8eOv15SPQJbC1npJoDWTNPMTNp6AvMN-XWwB53h2Cg%40mail.gmail.com

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachment Content-Type Size
0001-Refine-rules-for-altering-publication-owner.patch text/x-patch 5.6 KB
0002-Add-PUBLICATION-privilege.patch text/x-patch 26.9 KB
0003-Add-USAGE-privilege-for-publications.patch text/x-patch 42.5 KB
0004-Add-CREATE-SUBSCRIPTION-privilege-on-databases.patch text/x-patch 13.7 KB
0005-Add-subscription-apply-worker-privilege-checks.patch text/x-patch 5.2 KB
0006-Change-logical-replication-pg_hba.conf-use.patch text/x-patch 2.8 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2017-02-17 23:34:59 Re: pg_recvlogical.c doesn't build with --disable-integer-datetimes
Previous Message Tomas Vondra 2017-02-17 23:22:20 Re: gitlab post-mortem: pg_basebackup waiting for checkpoint