On 12/17/21 22:07, Alvaro Herrera wrote:
So I've been thinking about this as a "security" item (you can see my comments to that effect sprinkled all over this thread), in the sense that if a publication "hides" some column, then the replica just won't get access to it. But in reality that's mistaken: the filtering that this patch implements is done based on the queries that *the replica* executes at its own volition; if the replica decides to ignore the list of columns, it'll be able to get all columns. All it takes is an uncooperative replica in order for the lot of data to be exposed anyway.
Interesting, I haven't really looked at this as a security feature. And in my experience if something is not carefully designed to be secure from the get go, it's really hard to add that bit later ...
You say it's the replica making the decisions, but my mental model is it's the publisher decoding the data for a given list of publications (which indeed is specified by the subscriber). But the subscriber can't tweak the definition of publications, right? Or what do you mean by queries executed by the replica? What are the gap?
If the server has a *separate* security mechanism to hide the columns (per-column privs), it is that feature that will protect the data, not the logical-replication-feature to filter out columns.
Right. Although I haven't thought about how logical decoding interacts with column privileges. I don't think logical decoding actually checks column privileges - I certainly don't recall any ACL checks in src/backend/replication ...
AFAIK we only really check privileges during initial sync (when creating the slot and copying data), but then we keep replicating data even if the privilege gets revoked for the table/column. In principle the replication role is pretty close to superuser.
This led me to realize that the replica-side code in tablesync.c is totally oblivious to what's the publication through which a table is being received from in the replica. So we're not aware of a replica being exposed only a subset of columns through some specific publication; and a lot more hacking is needed than this patch does, in order to be aware of which publications are being used. I'm going to have a deeper look at this whole thing.
Does that mean we currently sync all the columns in the initial sync, and only start filtering columns later while decoding transactions?
regards -- Tomas Vondra EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
