On Fri, Nov 23, 2018 at 3:55 PM Petr Jelinek <petr.jeli...@2ndquadrant.com> wrote: > > On 23/11/2018 17:15, Euler Taveira wrote: > > Em qui, 22 de nov de 2018 às 20:03, Petr Jelinek > > <petr.jeli...@2ndquadrant.com> escreveu: > >> Firstly, I am not sure if it's wise to allow UDFs in the filter clause > >> for the table. The reason for that is that we can't record all necessary > >> dependencies there because the functions are black box for parser. That > >> means if somebody drops object that an UDF used in replication filter > >> depends on, that function will start failing. But unlike for user > >> sessions it will start failing during decoding (well processing in > >> output plugin). And that's not recoverable by reading the missing > >> object, the only way to get out of that is either to move slot forward > >> which means losing part of replication stream and need for manual resync > >> or full rebuild of replication. Neither of which are good IMHO. > >> > > It is a foot gun but there are several ways to do bad things in > > postgres. CREATE PUBLICATION is restricted to superusers and role with > > CREATE privilege in current database. AFAICS a role with CREATE > > privilege cannot drop objects whose owner is not himself. I wouldn't > > like to disallow UDFs in row filtering expressions just because > > someone doesn't set permissions correctly. Do you have any other case > > in mind? > > I don't think this has anything to do with security. Stupid example: > > user1: CREATE EXTENSION citext; > > user2: CREATE FUNCTION myfilter(col1 text, col2 text) returns boolean > language plpgsql as > $$BEGIN > RETURN col1::citext = col2::citext; > END;$$ > > user2: ALTER PUBLICATION mypub ADD TABLE mytab WHERE (myfilter(a,b)); > > [... replication happening ...] > > user1: DROP EXTENSION citext; > > And now replication is broken and unrecoverable without data loss. > Recreating extension will not help because the changes happening in > meantime will not see it in the historical snapshot. > > I don't think it's okay to do completely nothing about this. >
If carefully documented I see no problem with it... we already have an analogous problem with functional indexes. Regards, -- Fabrízio de Royes Mello Timbira - http://www.timbira.com.br/ PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento