Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nSsMg-00033v-6V for pgsql-hackers@arkaria.postgresql.org; Sat, 12 Mar 2022 03:24:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nSsMe-0004Wg-Rm for pgsql-hackers@arkaria.postgresql.org; Sat, 12 Mar 2022 03:24:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nSsMe-0004SW-Cq for pgsql-hackers@lists.postgresql.org; Sat, 12 Mar 2022 03:24:20 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nSsMb-0005Xg-TG for pgsql-hackers@lists.postgresql.org; Sat, 12 Mar 2022 03:24:19 +0000 Received: by mail-pl1-x634.google.com with SMTP id e2so9176082pls.10 for ; Fri, 11 Mar 2022 19:24:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=L3lRM8Yyj81tyIN95dih6DoEdBKQAIgcq1dahsDAT8g=; b=aBO0AcVwrRyhr3Squ6aFY0QPeFSrvsQsMMr6fNmrqAHVi8TXkG6GGK4MCSMXDXujhg IwlTPYic0STGLzaxwUyjVKFMsicyMSsw8oI8pyqOfLCXGykYHdhT71yXaD8rkdj35G/Z KPYquqhXUzVGqRSA1D8KKisKBbitT+fceUApKuGzVYdZECwjhnscEeg1vWzsOBeDFeGo Y5M+qLy7OF3CIvjL74foiNj1/hNwtriPnitY/g73w3Iti+79QJOPDkQCvJUyS1KxVUoC oYm0pbehkxLJe4Eog4QYrSZtBbjnBdrraBO5rYYnK3MglxjFroeuAuT1rRL1NTmwGo1F 0VFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=L3lRM8Yyj81tyIN95dih6DoEdBKQAIgcq1dahsDAT8g=; b=E2NHw+STmLzZhBlRUeAOHPqV1m4iXjuyqW1FV7dIkLDqpAdcG40E/Yqp+Zdtw3y9tg hYd0Bkzpj20CGHWQtA438utLWrJB5CuwQlq2fuRn3B4RJkzl786IBgWLXFHf8ZNRbuwP RCtzYzV51xRoO5dhZrLizz5WNXRmH/jVOFrVNa1DylHaU/nAUsE/VCPUtMGvUR3jDgQ9 evKHhw1RQTCUogcv5qdmGKGFN77e0EH4nhFJJqCtXnVqxitwrEkaQIOXmH6dq+1s0Xqj dyWhFUITvEQGm84dz7tIyycDI+cGnmQH8jKPowEaeZxbq+lns+ypNJhW806mP5oLNIz9 vVXg== X-Gm-Message-State: AOAM530qMtVcKpXg77K7ZKuSv5fjQfRW6l8c6h/fo3wg9G28gSB828zZ Ihh8EfXM9pGcfe5PuxNAAl+F+w== X-Google-Smtp-Source: ABdhPJzTIADcpALcqnPCdDqIj9P6bznsuuA1QXCNsFeV3LqYYjoYiljv0Dv5aGWJ9LyP4y5naINVmA== X-Received: by 2002:a17:902:9348:b0:14e:ec3d:2baa with SMTP id g8-20020a170902934800b0014eec3d2baamr13589971plp.107.1647055455457; Fri, 11 Mar 2022 19:24:15 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id l5-20020a056a0016c500b004f140564a00sm12440891pfc.203.2022.03.11.19.24.13 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 11 Mar 2022 19:24:14 -0800 (PST) Message-ID: Subject: Re: pg_walinspect - a new extension to get raw WAL data and WAL stats From: Jeff Davis To: Stephen Frost , Robert Haas Cc: Bharath Rupireddy , Ashutosh Sharma , Andrew Dunstan , Greg Stark , Jeremy Schneider , Bruce Momjian , PostgreSQL Hackers , SATYANARAYANA NARLAPURAM , marvin_liang@qq.com, actyzhang@outlook.com Date: Fri, 11 Mar 2022 19:24:12 -0800 In-Reply-To: <20220310205424.GJ10577@tamriel.snowman.net> References: <39c13407c8b7311e9a3b24f2df814696bfa2ebff.camel@j-davis.com> <20220310205424.GJ10577@tamriel.snowman.net> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, 2022-03-10 at 15:54 -0500, Stephen Frost wrote: > The standard is basically that all of the functions it brings are > written to enforce the PG privilege system and you aren't able to use > the extension to bypass those privileges. In some cases that means > that Every extension should follow that standard, right? If it doesn't (e.g. creating dangerous functions and granting them to public), then even superuser should not install it. > the C-language functions installed have if(!superuser) ereport() > calls I'm curious why not rely on the grant system where possible? I thought we were trying to get away from explicit superuser checks. > I've not looked back on this thread, but I'd expect pg_walinspect to > need those superuser checks and with those it *could* be marked as > trusted, but that again brings into question how useful it is to mark > it > thusly. As long as any functions are safely accessible to public or a predefined role, there is some utility for the 'trusted' marker. As this patch is currently written, pg_monitor has access these functions, though I don't think that's the right privilege level at least for pg_get_raw_wal_record(). > I certainly don't think we should allow either database owners or > regular users on a system the ability to access the WAL traffic of > the > entire system. Agreed. That was not what I intended by asking if it should be marked 'trusted'. The marker only allows the non-superuser to run the CREATE EXTENSION command; it's up to the extension script to decide whether any non-superusers can do anything at all with the extension. > More forcefully- we should *not* be throwing more access > rights towards $owners in general and should be thinking about how we > can allow admins, providers, whomever, the ability to control what > rights users are given. If they're all lumped under 'owner' then > there's no way for people to provide granular access to just those > things they wish and intend to. Not sure I understand, but that sounds like a larger discussion. Regards, Jeff Davis