Re: Privileges on PUBLICATION

Wed, 18 May 2022 02:44:57 -0700 

Euler Taveira <[email protected]> wrote:

> On Fri, May 13, 2022, at 3:36 AM, Antonin Houska wrote:
> 
>  Attached is my proposal. It tries to be more specific and does not mention 
> the
>  absence of the privileges explicitly.
> 
> You explained the current issue but say nothing about the limitation. This
> information will trigger a question possibly in one of the MLs. IMO if you say
> something like the sentence above at the end, it will make it clear why that
> setup expose all data (there is no access control to publications) and
> explicitly say there is a TODO here.
> 
> Additional privileges might be added to control access to table data in a
> future version of <productname>PostgreSQL</productname>.

I thought it sound too negative if absence of some feature was mentioned
explicitly. However it makes sense to be clear from technical point of view.

> I also wouldn't use the warning tag because it fits in the same category as 
> the
> other restrictions listed in the page.

ok, please see the next version.

-- 
Antonin Houska
Web: https://www.cybertec-postgresql.com


diff --git a/doc/src/sgml/ref/create_publication.sgml b/doc/src/sgml/ref/create_publication.sgml
index 1a828e8d2ff..259fe20a148 100644
--- a/doc/src/sgml/ref/create_publication.sgml
+++ b/doc/src/sgml/ref/create_publication.sgml
@@ -112,6 +112,17 @@ CREATE PUBLICATION <replaceable class="parameter">name</replaceable>
       Specifying a table that is part of a schema specified by
       <literal>FOR ALL TABLES IN SCHEMA</literal> is not supported.
      </para>
+
+     <para>
+      Note that there are currently no privileges on publication, and that any
+      subscriber can access any publication. Thus if you're trying to hide
+      some information from particular subscribers (by using the
+      <literal>WHERE</literal> clause or the column list, or by not adding the
+      whole table to the publication), please be aware that other publications
+      can expose the same information. Publication privileges might be added
+      to <productname>PostgreSQL</productname> in the future to allow for
+      fine-grained access control.
+     </para>
     </listitem>
    </varlistentry>

Reply via email to