Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mr26q-0003yx-8n for pgsql-hackers@arkaria.postgresql.org; Sat, 27 Nov 2021 18:07:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mr26o-0006sF-VH for pgsql-hackers@arkaria.postgresql.org; Sat, 27 Nov 2021 18:07:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mr26o-0006s6-9k for pgsql-hackers@lists.postgresql.org; Sat, 27 Nov 2021 18:07:34 +0000 Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mr26f-0003BF-I9 for pgsql-hackers@postgresql.org; Sat, 27 Nov 2021 18:07:33 +0000 Received: by mail-pj1-x1036.google.com with SMTP id np3so9322367pjb.4 for ; Sat, 27 Nov 2021 10:07:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YtO9lw42VF5aOI1EE1GH+QVjjaAckJEwSBMpv2WLeq8=; b=DDxkyVez7pSEkM0E3QOofCz/pYd5vk/9pt2EEoQtYieq+g+qk37yX2XFc44ND93P5t VJWL9bmBV9bbvzOAFFt5UoScqN1DABFos4D/6pMrWc5q8S0c/L0+fYjO8yoj75DlIHUb 95h2OMVk0nWyjmqBnEMNbFF4uusuV5C1j78m2TAZIGoauhNa8q7GaPzrHiGCn7Mehsap /i6tP310n4hh/3U8FgqeB9HQw4/JkiQDeaN47Bv9ObydFzrQXz4p0gC9j3u5RMLqwt3B 1Z+t19KtmYfAx1FRCZ60qc+OJRPfdTGxrf8+eMdutZYdz7B5dXzXHfamY9Ul4lbfbPlT Yhag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YtO9lw42VF5aOI1EE1GH+QVjjaAckJEwSBMpv2WLeq8=; b=2UsLXs7/c5sq641ONpH/qXE3iGSIXa8Pi80Ur9LLe1gPQ8dkQR2mv/ZHcm5uzBgsY0 WE6NmZ0XeRkvl1+o1I+Noc4beP+uhArK4U0v4D158PFkmBd7M4vARgU1QlWMWt8G3Y1I D+Tw+I+fjTbRns1GC64jIpfctEekyGCnT4tLEM5M4Y+HANvYBVddT6pBG7o1jkwz3A1I 8M3Lkth7vMzZogVYWV1Dmda6gjmX2sHoVaiGpkGA2ukFgeVHcDCbVibsdeOyUhSu99Q7 8xkrT1798OEpnSAHekRihYmjoaukOb8vl1bg/1aG4b49fqxk6iALQN+nDZwYI0JNE4P1 +gvA== X-Gm-Message-State: AOAM53123D1Or2rsdXPA5VEOJlNJDotCH7Q5BaWdSY9aclEYVA2e2PWQ AOi+4t/Q+DaesyEcwIedRWc38/VURkMY96PsMge82W0Fy4V1mtmWD7rLSNDiva9tHi3r68G0cpy gzTqDYqOx6HuokNOGchtGr68Cz2WelxzjOmU6gEiHAi/xX0TXNPcpMVrQF3sLTpK56ziIlkQqCH fa7akGKs+YuHy/sxVgBLlv21CRj0/9CQQDu+/t X-Google-Smtp-Source: ABdhPJxwLYfRcql4pnlfOxcTWx2b1sUVv9Op+7EQw8i7MciOMTPtSFsUdzV0n/F7u/Tt7dPrHmx6WQ== X-Received: by 2002:a17:902:694b:b0:143:722f:91c1 with SMTP id k11-20020a170902694b00b00143722f91c1mr47261020plt.68.1638036442239; Sat, 27 Nov 2021 10:07:22 -0800 (PST) Received: from laptop280-ma-us.home ([50.53.78.5]) by smtp.gmail.com with ESMTPSA id p20sm11457891pfw.96.2021.11.27.10.07.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Nov 2021 10:07:21 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: Non-superuser subscription owners From: Mark Dilger In-Reply-To: <66f55a6b9ff7bdd6bfd0d05e8fd8351690e69e23.camel@j-davis.com> Date: Sat, 27 Nov 2021 10:05:16 -0800 Cc: Amit Kapila , Andrew Dunstan , PostgreSQL-development , Robert Haas Content-Transfer-Encoding: quoted-printable Message-Id: References: <9DFC88D3-1300-4DE8-ACBC-4CEF84399A53@enterprisedb.com> <6BB4451E-7B1B-474C-BD1F-DB7531E720C6@enterprisedb.com> <6A2B0FF6-CC86-48CE-B0D3-5401AA5CFEA9@enterprisedb.com> <1BB0A553-3FE9-4A91-A975-6F9D8C157FBD@enterprisedb.com> <7C62876F-5D19-4B5C-96AC-5590B10A49B2@enterprisedb.com> <66f55a6b9ff7bdd6bfd0d05e8fd8351690e69e23.camel@j-davis.com> To: Jeff Davis X-Mailer: Apple Mail (2.3608.120.23.2.7) X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Nov 24, 2021, at 4:30 PM, Jeff Davis wrote: >=20 > We need to do permission checking for WITH CHECK OPTION and RLS. The > patch right now allows the subscription to write data that an RLS > policy forbids. Thanks for reviewing and for this observation! I can verify that RLS is = not being honored on the subscriber side. I agree this is a problem for = subscriptions owned by non-superusers. The implementation of the table sync worker uses COPY FROM, which makes = this problem hard to fix, because COPY FROM does not support row level = security. We could do some work to honor the RLS policies during the = apply workers' INSERT statements, but then some data would circumvent = RLS during table sync and other data would honor RLS during worker = apply, which would make the implementation not only wrong but = inconsistently so. I think a more sensible approach for v15 is to raise an ERROR if a = non-superuser owned subscription is trying to replicate into a table = which has RLS enabled. We might try to be more clever and check whether = the RLS policies could possibly reject the operation (by comparing the = TO and FOR clauses of the policies against the role and operation type) = but that seems like a partial re-implementation of RLS. It would be = simpler and more likely correct if we just unconditionally reject = replicating into tables which have RLS enabled. What do you think? > A couple other points: >=20 > * We shouldn't refer to the behavior of previous versions in the docs > unless there's a compelling reason Fair enough. > * Do we need to be smarter about partitioned tables, where an insert > can turn into an update? Do you mean an INSERT statement with an ON CONFLICT DO UPDATE clause = that is running against a partitioned table? If so, I don't think we = need to handle that on the subscriber side under the current logical = replication design. I would expect the plain INSERT or UPDATE that = ultimately executes on the publisher to be what gets replicated to the = subscriber, and not the original INSERT .. ON CONFLICT DO UPDATE = statement. > * Should we refactor to borrow logic from ExecInsert so that it's less > likely that we miss something in the future? Hooking into the executor at a higher level, possibly ExecInsert or = ExecModifyTable would do a lot more than what logical replication = currently does. If we also always used INSERT/UPDATE/DELETE statements = and never COPY FROM statements, we might solve several problems at once, = including honoring RLS policies and honoring rules defined for the = target table on the subscriber side. Doing this would clearly be a major design change, and possibly one we = do not want. Can we consider this out of scope? =E2=80=94 Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company