Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnPdG-0007hJ-DE for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Nov 2021 18:26:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mnPdE-00004s-UW for pgsql-hackers@arkaria.postgresql.org; Wed, 17 Nov 2021 18:26:04 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mnPdE-0008WP-9N for pgsql-hackers@lists.postgresql.org; Wed, 17 Nov 2021 18:26:04 +0000 Received: from mail-pj1-x102c.google.com ([2607:f8b0:4864:20::102c]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mnPd4-00027X-Uq for pgsql-hackers@postgresql.org; Wed, 17 Nov 2021 18:26:03 +0000 Received: by mail-pj1-x102c.google.com with SMTP id np6-20020a17090b4c4600b001a90b011e06so3291314pjb.5 for ; Wed, 17 Nov 2021 10:25:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U/5pzYuJHauqqKK8m8dT9mheG8To2quS60geIP/MQik=; b=cLGp/Xh0NvDgT5QxXkU2LfNDZHD4aeHv1Qar8BJqhftBZeo90ApgY4c3ILnSGZ8EpK 7Qwz6+QpQ4WwrxCGXg/x9CA5/1gDMaxZ9W6BaphRfhppiOmVn8qp0HDlc5B8aChTzaLH TnFlmOh/uwNtIgcwFhML9Uae91hVCd0mFkoZwCGTQyBV7IPPj9m3UXFBFe4+e/p5TIio VZNad1wqcKsONnPyZkY7T14NdmBQap37QWIQIYUBXJFiPy7cFIzM4TIFfafC88spPXMH j4H7ojfENVlHPDHkIgqfZVh9HpnZ1siTTJ2TR4pS+zaAhm3Va48DbOBrOtCwUNXWzOAe zbow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U/5pzYuJHauqqKK8m8dT9mheG8To2quS60geIP/MQik=; b=QlP/VBFcRoWPymNiGJddsS8BkqTPIGmKYsUgvZqzkccGEm2EblSbT9k2FnjIWG6iCj JBDr5t+3g6dUylF7rpF6NFpucmIBLoylUlDf/2qir9SViTiwFBxALCDf7T4w65s0jznx 2j6ZtWTJ5XHFM3oHj0GdaQux9C6Nc9LoptdRcx1yeTCRG2UERrK0UpKSFqzRT2WSJ8ju HPBCkuZ0JILbacvLixQYrdiwkqKieoxdTAZ67Bh8RpRCrFNeQDKgIxY+dHxrEd9eLomd d8KQ+0ryQUChvAZo31M9e3i6CjSz987cMuA7FjQChptQcePVnTS5wre9zvgUAG/Mmi5j wc8Q== X-Gm-Message-State: AOAM531ESyRMkhO8HMY/LS/hKf3i7zsvTWUAQLj2TfS4SIhtGg6KkwgO HO60fvLHXkinMeeFZMXRn1eiQ+/L4z9n1U6aSe+Uqb+GWE1EmycQ30v58t8IywQjoAW2EQxFAXZ Aji50t2F5fAFetrzf6tNLBPDSvpdkE4FxwSgyxWKOztZZdVIm50MsWxLTncT3xysXBPYXTwcFSk GfqSgXsxEl3NuruN1hEvURMgOBgZME+FN2FFNB X-Google-Smtp-Source: ABdhPJzfgzsuvlpMUkv2De6WxJyh9vFsJ8PYBzBhZ7+vClPet0Lqb59HlraENLR8A4kHtO5Seqwabg== X-Received: by 2002:a17:90b:3a83:: with SMTP id om3mr2070914pjb.211.1637173551834; Wed, 17 Nov 2021 10:25:51 -0800 (PST) Received: from laptop280-ma-us.hitronhub.home (24-113-193-150.wavecable.com. [24.113.193.150]) by smtp.gmail.com with ESMTPSA id w17sm350636pfu.58.2021.11.17.10.25.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Nov 2021 10:25:51 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: Non-superuser subscription owners From: Mark Dilger In-Reply-To: Date: Wed, 17 Nov 2021 10:25:50 -0800 Cc: Andrew Dunstan , PostgreSQL-development , Robert Haas Content-Transfer-Encoding: quoted-printable Message-Id: References: <9DFC88D3-1300-4DE8-ACBC-4CEF84399A53@enterprisedb.com> <6BB4451E-7B1B-474C-BD1F-DB7531E720C6@enterprisedb.com> <6A2B0FF6-CC86-48CE-B0D3-5401AA5CFEA9@enterprisedb.com> To: Jeff Davis X-Mailer: Apple Mail (2.3608.120.23.2.7) X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Nov 17, 2021, at 9:33 AM, Jeff Davis wrote: >=20 > I am still trying to understand this use case. It doesn't feel like > "ownership" to me, it feels more like some kind of delegation. >=20 > Is GRANT a better fit here? That would allow more than one user to > REFRESH, or ENABLE/DISABLE the same subscription. It wouldn't allow > RENAME, but I don't see why we'd separate privileges for > CREATE/DROP/RENAME anyway. We may eventually allow non-superusers to create subscriptions, but = there are lots of details to work out. Should there be limits on how = many subscriptions they can create? Should there be limits to the = number of simultaneously open connections they can create out to other = database servers (publishers)? Should they need to be granted USAGE on = a database publisher in order to use the connection string for that = publisher in a subscription they create? Should they need to be granted = USAGE on a publication in order to replicate it? Yes, there may be = restrictions on the publisher side, too, but the user model on = subscriber and publisher might differ, and the connection string used = might not match the subscription owner, so some restriction on the = subscriber side may be needed. The implementation of [CREATE | ALTER] SUBSCRIPTION was designed at a = time when only superusers could execute them, and as far as I can infer = from the design, no effort to constrain the effects of those commands = was made. Since we're trying to make subscriptions into things that = non-superusers can use, we have to deal with some things in those = functions. For example, ALTER SUBSCRIPTION can change the database = connection parameter, or the publication subscribed, or whether = synchronous_commit is used. I don't see that a subscription owner = should necessarily be allowed to mess with that, at least not without = some other privilege checks beyond mere ownership. I think this is pretty analogous to how security definer functions work. = You might call those "delegation" also, but the basic idea is that the = function will run under the privileges of the function's owner, who = might be quite privileged if you want the function to do highly secure = things for you, but who could also intentionally be limited in = privilege. It wouldn't make much sense to say the owner of a security = definer function can arbitrarily escalate their privileges to do things = like open connections to other database servers, or have the = transactions in which they run have a different setting of = synchronous_commit. Yet with subscriptions, if the subscription owner = can run all forms of ALTER SUBSCRIPTION, that's what they can do. I took a conservative position in the design of the patch to avoid = giving away too much. I suspect that we'll come back to these design = decisions and relax them at some point, but the exact way in which we = relax them is not obvious. We could just agree to remove them (as you = seem to propose), or we might agree to create predefined roles and say = that the subscription owner can change certain aspects of the = subscription if and only if they are members of one or more of those = roles, or we may create new grantable privileges. Each of those debates = may be long and hard fought, so I don't want to invite that as part of = this thread, or this patch will almost surely miss the cutoff for v15. > This would not address the weirdness of the existing code where a > superuser loses their superuser privileges but still owns a > subscription. But perhaps we can solve that a different way, like just > performing a check when someone loses their superuser privileges that > they don't own any subscriptions. I gave that a slight amount of thought during the design of this patch, = but didn't think we could refuse to revoke superuser on such a basis, = and didn't see what we should do with the subscription other than have = it continue to be owned by the recently-non-superuser. If you have a = better idea, we can discuss it, but to some degree I think that is also = orthogonal to the purpose of this patch. The only sense in which this = patch depends on that issue is that this patch proposes that = non-superuser subscription owners are already an issue, and therefore = that this patch isn't creating a new issue, but rather making more sane = something that already can happen. =E2=80=94 Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company