On 17.12.21 22:07, Alvaro Herrera wrote:
So I've been thinking about this as a "security" item (you can see my comments to that effect sprinkled all over this thread), in the sense that if a publication "hides" some column, then the replica just won't get access to it. But in reality that's mistaken: the filtering that this patch implements is done based on the queries that *the replica* executes at its own volition; if the replica decides to ignore the list of columns, it'll be able to get all columns. All it takes is an uncooperative replica in order for the lot of data to be exposed anyway.
During normal replication, the publisher should only send the columns that are configured to be part of the publication. So I don't see a problem there.
During the initial table sync, the subscriber indeed can construct any COPY command. We could maybe replace this with a more customized COPY command variant, like COPY table OF publication TO STDOUT.
But right now the subscriber is sort of assumed to have access to everything on the publisher anyway, so I doubt that this is the only problem. But it's worth considering.
