Re: [HACKERS] logical replication access control patches

On 3/29/17 19:01, Petr Jelinek wrote: >> So this CREATE SUBSCRIPTION priv actually gives you the power to cause >> the system to open network connections to the outside world. It's not >> something you give freely to random strangers -- should be guarded >> moderately tight, because it could be

Re: [HACKERS] logical replication access control patches

On 29/03/17 20:55, Alvaro Herrera wrote: > Peter Eisentraut wrote: >> On 3/15/17 21:54, Peter Eisentraut wrote: > >>> 0004 Add subscription apply worker privilege checks >>> 0005 Add CREATE SUBSCRIPTION privilege on databases >> >> It would be nice to reach a conclusion on these (the second one

Re: [HACKERS] logical replication access control patches

Peter Eisentraut wrote: > On 3/15/17 21:54, Peter Eisentraut wrote: > > 0004 Add subscription apply worker privilege checks > > 0005 Add CREATE SUBSCRIPTION privilege on databases > > It would be nice to reach a conclusion on these (the second one > particularly), because otherwise we'll be

Re: [HACKERS] logical replication access control patches

On 3/15/17 21:54, Peter Eisentraut wrote: > 0001 Refine rules for altering publication owner > 0002 Change logical replication pg_hba.conf use These two were committed. > 0003 Add USAGE privilege for publications I'm withdrawing this one for now, because of some issues that were discussed in

Re: [HACKERS] logical replication access control patches

On 3/22/17 08:12, Petr Jelinek wrote: > On 22/03/17 03:38, Peter Eisentraut wrote: >> On 3/20/17 15:10, Petr Jelinek wrote: >>> Hmm but REPLICATION role can do basebackup/consume wal, so how does >>> giving it limited publication access help? Wouldn't we need some >>> SUBSCRIPTION role/grant used

Re: [HACKERS] logical replication access control patches

On 3/18/17 09:31, Petr Jelinek wrote: >> 0001 Refine rules for altering publication owner >> >> kind of a bug fix > > Agreed, this can be committed as is. > >> >> 0002 Change logical replication pg_hba.conf use >> >> This was touched upon in the discussion at >>

Re: [HACKERS] logical replication access control patches

On 22/03/17 03:38, Peter Eisentraut wrote: > On 3/20/17 15:10, Petr Jelinek wrote: >> Hmm but REPLICATION role can do basebackup/consume wal, so how does >> giving it limited publication access help? Wouldn't we need some >> SUBSCRIPTION role/grant used instead for logical replication connections

Re: [HACKERS] logical replication access control patches

On 3/20/17 15:10, Petr Jelinek wrote: > Hmm but REPLICATION role can do basebackup/consume wal, so how does > giving it limited publication access help? Wouldn't we need some > SUBSCRIPTION role/grant used instead for logical replication connections > instead of REPLICATION for this to make sense?

Re: [HACKERS] logical replication access control patches

On 20/03/17 13:32, Peter Eisentraut wrote: > On 3/18/17 09:31, Petr Jelinek wrote: >>> 0003 Add USAGE privilege for publications >>> >>> a way to control who can subscribe to a publication >>> >> Hmm IIUC this removes ability of REPLICATION role to subscribe to >> publications. I am not quite sure

Re: [HACKERS] logical replication access control patches

On 3/18/17 09:31, Petr Jelinek wrote: >> 0003 Add USAGE privilege for publications >> >> a way to control who can subscribe to a publication >> > Hmm IIUC this removes ability of REPLICATION role to subscribe to > publications. I am not quite sure I like that. Well, this is kind of the way with

Re: [HACKERS] logical replication access control patches

Hi, I went over this patch set, don't really have all that much to say except it looks good for the most part (details inline). On 16/03/17 02:54, Peter Eisentraut wrote: > New patch set based on the discussions. I have dropped the PUBLICATION > privilege patch. The patches are also reordered

Re: [HACKERS] logical replication access control patches

New patch set based on the discussions. I have dropped the PUBLICATION privilege patch. The patches are also reordered a bit in approximate decreasing priority order. 0001 Refine rules for altering publication owner kind of a bug fix 0002 Change logical replication pg_hba.conf use This was

Re: [HACKERS] logical replication access control patches

On 3/14/17 14:49, Petr Jelinek wrote: > Not what I mean - owner should be able to publish table. If you are > granted role of the owner you can do what owner can no? I didn't actually know that ownership worked that way. You can grant the role of an owner to someone, and then that someone has

Re: [HACKERS] logical replication access control patches

On 3/14/17 15:37, Petr Jelinek wrote: > Yeah that's rather hard to say in front. Maybe safest action would be to > give the permission to owners in 10 and revisit special privilege in 11 > based on feedback? I'm fine with that. -- Peter Eisentraut http://www.2ndQuadrant.com/

Re: [HACKERS] logical replication access control patches

On 3/14/17 15:05, Stephen Frost wrote: > Another approach to solving my concern would be to only allow the > publishing of tables by non-owner users who have table-level SELECT > rights An early version of the logical replication patch set did that. But the problem is that this way someone with

Re: [HACKERS] logical replication access control patches

On Tue, Mar 14, 2017 at 3:37 PM, Petr Jelinek wrote: > On 14/03/17 20:09, Robert Haas wrote: >> On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek >> wrote: >>> Note that I am not necessarily saying it's better though, just trying to >>>

Re: [HACKERS] logical replication access control patches

On 14/03/17 20:09, Robert Haas wrote: > On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek > wrote: >> Note that I am not necessarily saying it's better though, just trying to >> explain. It definitely has drawbacks, as in order to grant publish on >> one table you might

Re: [HACKERS] logical replication access control patches

Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > However, what I'm not clear about is whether this is a situation > that's likely to come up much in practice. I would have thought that > publications and subscriptions would typically be configured by roles > with quite high levels of

Re: [HACKERS] logical replication access control patches

On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek wrote: > Note that I am not necessarily saying it's better though, just trying to > explain. It definitely has drawbacks, as in order to grant publish on > one table you might be granting lots of privileges on various

Re: [HACKERS] logical replication access control patches

Greetings, * Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote: > On 14/03/17 19:47, Robert Haas wrote: > > On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek > > wrote: > >> My understanding of what Shephen is proposing is, you have "ownerA" of > >> tableA and "ownerB"

Re: [HACKERS] logical replication access control patches

On 14/03/17 19:49, Petr Jelinek wrote: > On 14/03/17 19:47, Robert Haas wrote: >> On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek >> wrote: >>> My understanding of what Shephen is proposing is, you have "ownerA" of >>> tableA and "ownerB" of tableB, then you want role

Re: [HACKERS] logical replication access control patches

On 14/03/17 19:47, Robert Haas wrote: > On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek > wrote: >> My understanding of what Shephen is proposing is, you have "ownerA" of >> tableA and "ownerB" of tableB, then you want role "publishe"r to be able >> to publish those,

Re: [HACKERS] logical replication access control patches

On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek wrote: > My understanding of what Shephen is proposing is, you have "ownerA" of > tableA and "ownerB" of tableB, then you want role "publishe"r to be able > to publish those, so you simply grant it the "ownerA" and

Re: [HACKERS] logical replication access control patches

On 10/03/17 20:02, Peter Eisentraut wrote: > On 2/27/17 22:10, Stephen Frost wrote: >> Peter, >> >> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >>> On 2/18/17 18:06, Stephen Frost wrote: I'm not convinced that it really makes sense to have PUBLICATION of a table be

Re: [HACKERS] logical replication access control patches

On 3/3/17 10:07, Stephen Frost wrote: > Will users really understand that the PUBLISH right actually allows > complete access to the entire relation, rather than just the ability for > a user to PUBLISH what they are currently about to SELECT? It certainly > doesn't seem intuitive to me, which is

Re: [HACKERS] logical replication access control patches

On 2/27/17 22:10, Stephen Frost wrote: > Peter, > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 2/18/17 18:06, Stephen Frost wrote: >>> I'm not convinced that it really makes sense to have PUBLICATION of a >>> table be independent from the rights an owner of a table has.

Re: [HACKERS] logical replication access control patches

* Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote: > On 28/02/17 04:10, Stephen Frost wrote: > > Peter, > > > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > >> On 2/18/17 18:06, Stephen Frost wrote: > >>> I'm not convinced that it really makes sense to have PUBLICATION of a >

Re: [HACKERS] logical replication access control patches

On 28/02/17 04:10, Stephen Frost wrote: > Peter, > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 2/18/17 18:06, Stephen Frost wrote: >>> I'm not convinced that it really makes sense to have PUBLICATION of a >>> table be independent from the rights an owner of a table has.

Re: [HACKERS] logical replication access control patches

Peter, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 2/18/17 18:06, Stephen Frost wrote: > > I'm not convinced that it really makes sense to have PUBLICATION of a > > table be independent from the rights an owner of a table has. We don't > > allow other ALTER commands on

Re: [HACKERS] logical replication access control patches

On 2/18/17 18:06, Stephen Frost wrote: > I'm not convinced that it really makes sense to have PUBLICATION of a > table be independent from the rights an owner of a table has. We don't > allow other ALTER commands on objects based on GRANT'able rights, in > general, so I'm not really sure that it

Re: [HACKERS] logical replication access control patches

Peter, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > 0002 Add PUBLICATION privilege > > Add a new privilege kind to tables to determine whether they can be > added to a publication. I'm not convinced that it really makes sense to have PUBLICATION of a table be independent from

[HACKERS] logical replication access control patches

Here is a patch set to refine various access control settings in logical replication. Currently, you need to be replication or superuser for most things, and the goal of these patches is to allow ordinary users equipped with explicit privileges to do most things. (Btw., current documentation is