Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > On Thu, Mar 10, 2022 at 3:22 AM Jeff Davis <pg...@j-davis.com> wrote: > > * Can we mark this extension 'trusted'? I'm not 100% clear on the > > standards for that marker, but it seems reasonable for a database owner > > with the right privileges might want to install it. > > I'm not clear on the standard either, exactly, but might not that > allow the database owner to get a peek at what's happening in other > databases?
The standard is basically that all of the functions it brings are written to enforce the PG privilege system and you aren't able to use the extension to bypass those privileges. In some cases that means that the C-language functions installed have if(!superuser) ereport() calls throughout them- that's a fine answer, but it's perhaps not very helpful to mark those as trusted. In other cases, the C-language functions installed don't directly provide access to data, such as the PostGIS functions. I've not looked back on this thread, but I'd expect pg_walinspect to need those superuser checks and with those it *could* be marked as trusted, but that again brings into question how useful it is to mark it thusly. In an ideal world, we might have a pg_readwal predefined role which allows a role which was GRANT'd that role to be able to read WAL traffic, and then the pg_walinspect extension could check that the calling role has that predefined role, and other functions and extensions could also check that rather than any existing superuser checks. A cloud provider or such could then include in their setup of a new instance something like: GRANT pg_readwal TO admin_user WITH ADMIN OPTION; Presuming that there isn't anything that ends up in the WAL that's an issue for the admin_user to have access to. I certainly don't think we should allow either database owners or regular users on a system the ability to access the WAL traffic of the entire system. More forcefully- we should *not* be throwing more access rights towards $owners in general and should be thinking about how we can allow admins, providers, whomever, the ability to control what rights users are given. If they're all lumped under 'owner' then there's no way for people to provide granular access to just those things they wish and intend to. Thanks, Stephen
signature.asc
Description: PGP signature