Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnmAa-0005xE-QW for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Nov 2021 18:30:00 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mnmAZ-0001Gg-Fs for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Nov 2021 18:29:59 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnmAZ-0001GO-1u for pgsql-hackers@lists.postgresql.org; Thu, 18 Nov 2021 18:29:59 +0000 Received: from mail-pf1-x42d.google.com ([2607:f8b0:4864:20::42d]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mnmA6-0000DB-LA for pgsql-hackers@postgresql.org; Thu, 18 Nov 2021 18:29:36 +0000 Received: by mail-pf1-x42d.google.com with SMTP id g18so6881378pfk.5 for ; Thu, 18 Nov 2021 10:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=FWGMmPWULSzJiZIRMUCWhU83HUWPegZIa1RjNfvIeso=; b=CGoE1mlXlUbbZ4r9CMJXIbWxrcvOOuflydP9zFAQ/VoL+LJR/sr4nOcC6enODSX7FA ccSA+r3BU4dTGK6dTs8r5BTgR1VvgQFHcwcy4kO0edqTpOpBdmJtE/qF+RwmzNs582mW 4VFouLGq1rlzFvg5udmyV3bn8YHedZUCbL7ocKDRwfl76g6JZrak1GY7GY0GrS3Aw6O2 IErUnu5UBVfqRGgovsBRxB6lXL3xl2skzoWbEwy3+3CMK/Xy5kJQE8hftTX9jPJB39Y/ bDjjuTtS7e/HAXtGOCjNkVxepeL9W9XZ82QQ3C2+j+kgg2GXblHbcsb3saODHBQRz+H5 ShlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=FWGMmPWULSzJiZIRMUCWhU83HUWPegZIa1RjNfvIeso=; b=qNRuyXqQ8BfWcBJ9fy6DMHGRjNemFF8Q+xjKGr4RiY2X+20iWhsXToSCALfCkNTFwr cvEkPCAc/9FbZZpAQNNZDhpP8UowpT+3NoJvn0iLsWl+qjRBSxJkgJQZfDilQ3ZutfXG GQPpkUouSMkws6HGNlxgAdeJMe5mftW3VK1sIAuNpMYGfG/QNv32IFt7OoMTixdVW+Fe t+xHnMXqwhWqADu2duH9iV60oW5chx6nPFmgxu7xrVzTKUQnp7G8Ak1wTqk8I/LjHhRe XbE5fo9o7YtlQbJO//yz2hZljNz7jJ/Wc4p1O7s0w052RsLXHscYcoNM/C1fUy0HwyjJ XPaQ== X-Gm-Message-State: AOAM531wR5Lv2xupwMcaqytrjP0k+TjHHfme7QD/gDgg3XeTZLJ7A6g0 0udqBUEEanTWF0JtmjAo1Y07CA== X-Google-Smtp-Source: ABdhPJzU8tVr4r+m/vD4o7qtlvEAGaoN89fGzcnnN/QaFHVG1EMe7SISpOSlIkuREgII9HKtoRYDwA== X-Received: by 2002:a63:f70d:: with SMTP id x13mr12547312pgh.482.1637260169147; Thu, 18 Nov 2021 10:29:29 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id e2sm279179pgm.48.2021.11.18.10.29.27 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Nov 2021 10:29:28 -0800 (PST) Message-ID: <47f0d0e528451041c04d61c7dcf18ad01174d2db.camel@j-davis.com> Subject: Re: Non-superuser subscription owners From: Jeff Davis To: Mark Dilger Cc: Andrew Dunstan , PostgreSQL-development , Robert Haas Date: Thu, 18 Nov 2021 10:29:26 -0800 In-Reply-To: <2EA8302B-9805-4FAA-A95D-C4D5CEB82916@enterprisedb.com> References: <9DFC88D3-1300-4DE8-ACBC-4CEF84399A53@enterprisedb.com> <6BB4451E-7B1B-474C-BD1F-DB7531E720C6@enterprisedb.com> <6A2B0FF6-CC86-48CE-B0D3-5401AA5CFEA9@enterprisedb.com> <0774acfb4e613b9959c4e4995ba163cdadc454ef.camel@j-davis.com> <2EA8302B-9805-4FAA-A95D-C4D5CEB82916@enterprisedb.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, 2021-11-17 at 16:17 -0800, Mark Dilger wrote: > You must choose a single role you want the subscription to run > under. I think that was the source of a lot of my confusion: Your patches are creating the notion of a "run as" user by assigning ownership-that-isn't-really-ownership. I got distracted wondering why you would really care if some user could enable/disable/refresh/rename a subscription, but the main point was to change who the subscription runs as. That's a more general idea: I could see how "run as" could apply to subscriptions as well as functions (right now it can only run as the owner or the invoker, not an arbitrary role). And I better understand your analogy to security definer now. But it's also not exactly a simple idea, and I think the current patches oversimplify it and conflate it with ownership. > I think the longer term plan is that non-superusers who have some > privileged role will be allowed to create subscriptions, You earlier listed some challenges with that: https://postgr.es/m/CF56AC0D-7495-4E8D-A48F-FF38BD8074EB@enterprisedb.com But it seems like it's really the right direction to go. Probably the biggest concern is connection strings that read server files, but dblink solved that by requiring password auth. What are the reasonable steps to get there? Do you think anything is doable for v15? > There is a cart-before-the-horse problem here. I don't think we need to hold up v2-0003. It seems like a step in the right direction, though I haven't looked closely yet. Regards, Jeff Davis