Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnS8k-00008q-EQ for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Nov 2021 21:06:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mnS8i-000260-2s for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Nov 2021 21:06:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnS8h-00025r-K7 for pgsql-hackers@lists.postgresql.org; Wed, 17 Nov 2021 21:06:43 +0000 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mnS8b-0003ST-HY for pgsql-hackers@postgresql.org; Wed, 17 Nov 2021 21:06:43 +0000 Received: by mail-pf1-x435.google.com with SMTP id n26so3827194pff.3 for ; Wed, 17 Nov 2021 13:06:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=hjkfXo22Xv9CLjNF++5bBSlMVuQZr/LOOupZqQ7iZmY=; b=Y+Z9askct4K65wXYNyE9XwdJAXiKLtmhqI0gnaWmMJwmq60HM1SWMGbr+LS5l9her7 wBNCi5HzYhx3f+Jib1LZ9j7qlT+fp+n0vwLVVMK3ZzcHoo65BdDLSybY+mV8mKyx/z1/ UCP7atsLP+8YM6vehDZ9BQWL0XfeKWLMDNMCoa5z9LQFxYLly9pcKEe5oMU88hJCDUQ0 EGqaglTOQAjxzOhHJG7qhOzttgaqeBezmEpA/9H/I/uJ1sE5mspuhgIMn73aGbOq+xX7 62xz5lHomA0Z4ddsLB7sPZXW0yr5sKpKzn2biPQkzHkdjjdodh9p9De/luVxt5+k6o17 H4nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=hjkfXo22Xv9CLjNF++5bBSlMVuQZr/LOOupZqQ7iZmY=; b=qnb7hwf0ntAy5DFp+hFi3sA0MqycWgPC0MpEEsLbnNdZwTOUQ1jo2j3tUEmLvYQwOt WSpaO8686iRw2UnX+TtKSUR4OUcqcIPw6TBN2EzMGrPw7xD5LfhHZLLndW3kOTXmC1ro firHOQvxshr3npn5naEYKAHwNjoZnU3MGnCp4ErkOyvNM4ROB+phjFcAw0nhHcj1fv+5 ySV3OVk+zAfNcWfwLqbNp5cE8ehh0dAe7jDN3kMEbuTFCRncwok931j56UCIwqsF8tMJ v3YDyvlKOXAxLcOZLRLe/S22jGz8hbd9/3N0pbO2jqTeBjKL/jr8lit+uNUIOncHEdfV w4bQ== X-Gm-Message-State: AOAM532YszKYVFFga9a4QPTCiV5bClGpZizmf2b6cR4TFqUKssyGnmwm 7gkWKksLANXlfFi30hauYrbPvw== X-Google-Smtp-Source: ABdhPJyZavne2Vn+y5d1OETw9oKF+yETXEtjQQ0Gs1rHn8QAvLDst6z5es5oHQKw2gC4JQ7SpqtPWA== X-Received: by 2002:a05:6a00:807:b0:49f:9a8d:23b4 with SMTP id m7-20020a056a00080700b0049f9a8d23b4mr50652893pfk.71.1637183194924; Wed, 17 Nov 2021 13:06:34 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id t7sm501036pfj.217.2021.11.17.13.06.33 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 17 Nov 2021 13:06:34 -0800 (PST) Message-ID: <0774acfb4e613b9959c4e4995ba163cdadc454ef.camel@j-davis.com> Subject: Re: Non-superuser subscription owners From: Jeff Davis To: Mark Dilger Cc: Andrew Dunstan , PostgreSQL-development , Robert Haas Date: Wed, 17 Nov 2021 13:06:32 -0800 In-Reply-To: References: <9DFC88D3-1300-4DE8-ACBC-4CEF84399A53@enterprisedb.com> <6BB4451E-7B1B-474C-BD1F-DB7531E720C6@enterprisedb.com> <6A2B0FF6-CC86-48CE-B0D3-5401AA5CFEA9@enterprisedb.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, 2021-11-17 at 10:25 -0800, Mark Dilger wrote: > We may eventually allow non-superusers to create subscriptions, but > there are lots of details to work out. I am setting aside the idea of subscriptions created by non-superusers. My comments were about your idea for "low-power users" that can still do things with subscriptions. And for that, GRANT seems like a better fit than ownership. With v2-0001, there are several things that seem weird to me: * Why can there be only one low-power user per subscription? * Why is RENAME a separate capability from CREATE/DROP? * What if you want to make the privileges more fine-grained, or make changes in the future? Ownership is a single bit, so it requires that everyone agree. Maybe some people want RENAME to be a part of that, and others don't. GRANT seems to provide better answers here. > Since we're trying to make subscriptions into things that non- > superusers can use, we have to deal with some things in those > functions. I understand the use case where a superuser isn't required anywhere in the process, and some special users can create and own subscriptions. I also understand that's not what these patches are trying to accomplish (though v2-0003 seems like a good step in that direction). I don't understand the use case as well where a non-superuser can merely "use" a subscription. I'm sure such use cases exist and I'm fine to go along with that idea, but I'd like to understand why ownership (partial ownership?) is the right way to do this and GRANT is the wrong way. > For example, ALTER SUBSCRIPTION can change the database connection > parameter, or the publication subscribed, or whether > synchronous_commit is used. I don't see that a subscription owner > should necessarily be allowed to mess with that, at least not without > some other privilege checks beyond mere ownership. That violates my expectations of what "ownership" means. > I think this is pretty analogous to how security definer functions > work. The analogy to SECURITY DEFINER functions seems to support my suggestion for GRANT at least as much as your modified definition of ownership. > > This would not address the weirdness of the existing code where a > > superuser loses their superuser privileges but still owns a > > subscription. But perhaps we can solve that a different way, like > > just > > performing a check when someone loses their superuser privileges > > that > > they don't own any subscriptions. > > I gave that a slight amount of thought during the design of this > patch, but didn't think we could refuse to revoke superuser on such a > basis, I don't necessarily see a problem there, but I could be missing something. > and didn't see what we should do with the subscription other than > have it continue to be owned by the recently-non-superuser. If you > have a better idea, we can discuss it, but to some degree I think > that is also orthogonal to the purpose of this patch. The only sense > in which this patch depends on that issue is that this patch proposes > that non-superuser subscription owners are already an issue, and > therefore that this patch isn't creating a new issue, but rather > making more sane something that already can happen. By introducing and documenting a way to get non-superusers to own a subscription, it makes it more likely that people will do it, and harder for us to change. That means the standard should be "this is what we really want", rather than just "more sane than before". Regards, Jeff Davis