Re: [HACKERS] logical replication access control patches

2017-04-06 Thread Peter Eisentraut
On 3/29/17 19:01, Petr Jelinek wrote: >> So this CREATE SUBSCRIPTION priv actually gives you the power to cause >> the system to open network connections to the outside world. It's not >> something you give freely to random strangers -- should be guarded >> moderately tight, because it could be

Re: [HACKERS] logical replication access control patches

2017-03-29 Thread Petr Jelinek
On 29/03/17 20:55, Alvaro Herrera wrote: > Peter Eisentraut wrote: >> On 3/15/17 21:54, Peter Eisentraut wrote: > >>> 0004 Add subscription apply worker privilege checks >>> 0005 Add CREATE SUBSCRIPTION privilege on databases >> >> It would be nice to reach a conclusion on these (the second one

Re: [HACKERS] logical replication access control patches

2017-03-29 Thread Alvaro Herrera
Peter Eisentraut wrote: > On 3/15/17 21:54, Peter Eisentraut wrote: > > 0004 Add subscription apply worker privilege checks > > 0005 Add CREATE SUBSCRIPTION privilege on databases > > It would be nice to reach a conclusion on these (the second one > particularly), because otherwise we'll be

Re: [HACKERS] logical replication access control patches

2017-03-29 Thread Peter Eisentraut
On 3/15/17 21:54, Peter Eisentraut wrote: > 0001 Refine rules for altering publication owner > 0002 Change logical replication pg_hba.conf use These two were committed. > 0003 Add USAGE privilege for publications I'm withdrawing this one for now, because of some issues that were discussed in

Re: [HACKERS] logical replication access control patches

2017-03-22 Thread Peter Eisentraut
On 3/22/17 08:12, Petr Jelinek wrote: > On 22/03/17 03:38, Peter Eisentraut wrote: >> On 3/20/17 15:10, Petr Jelinek wrote: >>> Hmm but REPLICATION role can do basebackup/consume wal, so how does >>> giving it limited publication access help? Wouldn't we need some >>> SUBSCRIPTION role/grant used

Re: [HACKERS] logical replication access control patches

2017-03-22 Thread Peter Eisentraut
On 3/18/17 09:31, Petr Jelinek wrote: >> 0001 Refine rules for altering publication owner >> >> kind of a bug fix > > Agreed, this can be committed as is. > >> >> 0002 Change logical replication pg_hba.conf use >> >> This was touched upon in the discussion at >>

Re: [HACKERS] logical replication access control patches

2017-03-22 Thread Petr Jelinek
On 22/03/17 03:38, Peter Eisentraut wrote: > On 3/20/17 15:10, Petr Jelinek wrote: >> Hmm but REPLICATION role can do basebackup/consume wal, so how does >> giving it limited publication access help? Wouldn't we need some >> SUBSCRIPTION role/grant used instead for logical replication connections

Re: [HACKERS] logical replication access control patches

2017-03-21 Thread Peter Eisentraut
On 3/20/17 15:10, Petr Jelinek wrote: > Hmm but REPLICATION role can do basebackup/consume wal, so how does > giving it limited publication access help? Wouldn't we need some > SUBSCRIPTION role/grant used instead for logical replication connections > instead of REPLICATION for this to make sense?

Re: [HACKERS] logical replication access control patches

2017-03-20 Thread Petr Jelinek
On 20/03/17 13:32, Peter Eisentraut wrote: > On 3/18/17 09:31, Petr Jelinek wrote: >>> 0003 Add USAGE privilege for publications >>> >>> a way to control who can subscribe to a publication >>> >> Hmm IIUC this removes ability of REPLICATION role to subscribe to >> publications. I am not quite sure

Re: [HACKERS] logical replication access control patches

2017-03-20 Thread Peter Eisentraut
On 3/18/17 09:31, Petr Jelinek wrote: >> 0003 Add USAGE privilege for publications >> >> a way to control who can subscribe to a publication >> > Hmm IIUC this removes ability of REPLICATION role to subscribe to > publications. I am not quite sure I like that. Well, this is kind of the way with

Re: [HACKERS] logical replication access control patches

2017-03-18 Thread Petr Jelinek
Hi, I went over this patch set, don't really have all that much to say except it looks good for the most part (details inline). On 16/03/17 02:54, Peter Eisentraut wrote: > New patch set based on the discussions. I have dropped the PUBLICATION > privilege patch. The patches are also reordered

Re: [HACKERS] logical replication access control patches

2017-03-15 Thread Peter Eisentraut
New patch set based on the discussions. I have dropped the PUBLICATION privilege patch. The patches are also reordered a bit in approximate decreasing priority order. 0001 Refine rules for altering publication owner kind of a bug fix 0002 Change logical replication pg_hba.conf use This was

Re: [HACKERS] logical replication access control patches

2017-03-15 Thread Peter Eisentraut
On 3/14/17 14:49, Petr Jelinek wrote: > Not what I mean - owner should be able to publish table. If you are > granted role of the owner you can do what owner can no? I didn't actually know that ownership worked that way. You can grant the role of an owner to someone, and then that someone has

Re: [HACKERS] logical replication access control patches

2017-03-15 Thread Peter Eisentraut
On 3/14/17 15:37, Petr Jelinek wrote: > Yeah that's rather hard to say in front. Maybe safest action would be to > give the permission to owners in 10 and revisit special privilege in 11 > based on feedback? I'm fine with that. -- Peter Eisentraut http://www.2ndQuadrant.com/

Re: [HACKERS] logical replication access control patches

2017-03-15 Thread Peter Eisentraut
On 3/14/17 15:05, Stephen Frost wrote: > Another approach to solving my concern would be to only allow the > publishing of tables by non-owner users who have table-level SELECT > rights An early version of the logical replication patch set did that. But the problem is that this way someone with

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Robert Haas
On Tue, Mar 14, 2017 at 3:37 PM, Petr Jelinek wrote: > On 14/03/17 20:09, Robert Haas wrote: >> On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek >> wrote: >>> Note that I am not necessarily saying it's better though, just trying to >>>

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Petr Jelinek
On 14/03/17 20:09, Robert Haas wrote: > On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek > wrote: >> Note that I am not necessarily saying it's better though, just trying to >> explain. It definitely has drawbacks, as in order to grant publish on >> one table you might

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Stephen Frost
Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > However, what I'm not clear about is whether this is a situation > that's likely to come up much in practice. I would have thought that > publications and subscriptions would typically be configured by roles > with quite high levels of

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Robert Haas
On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek wrote: > Note that I am not necessarily saying it's better though, just trying to > explain. It definitely has drawbacks, as in order to grant publish on > one table you might be granting lots of privileges on various

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Stephen Frost
Greetings, * Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote: > On 14/03/17 19:47, Robert Haas wrote: > > On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek > > wrote: > >> My understanding of what Shephen is proposing is, you have "ownerA" of > >> tableA and "ownerB"

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Petr Jelinek
On 14/03/17 19:49, Petr Jelinek wrote: > On 14/03/17 19:47, Robert Haas wrote: >> On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek >> wrote: >>> My understanding of what Shephen is proposing is, you have "ownerA" of >>> tableA and "ownerB" of tableB, then you want role

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Petr Jelinek
On 14/03/17 19:47, Robert Haas wrote: > On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek > wrote: >> My understanding of what Shephen is proposing is, you have "ownerA" of >> tableA and "ownerB" of tableB, then you want role "publishe"r to be able >> to publish those,

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Robert Haas
On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek wrote: > My understanding of what Shephen is proposing is, you have "ownerA" of > tableA and "ownerB" of tableB, then you want role "publishe"r to be able > to publish those, so you simply grant it the "ownerA" and

Re: [HACKERS] logical replication access control patches

2017-03-14 Thread Petr Jelinek
On 10/03/17 20:02, Peter Eisentraut wrote: > On 2/27/17 22:10, Stephen Frost wrote: >> Peter, >> >> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >>> On 2/18/17 18:06, Stephen Frost wrote: I'm not convinced that it really makes sense to have PUBLICATION of a table be

Re: [HACKERS] logical replication access control patches

2017-03-10 Thread Peter Eisentraut
On 3/3/17 10:07, Stephen Frost wrote: > Will users really understand that the PUBLISH right actually allows > complete access to the entire relation, rather than just the ability for > a user to PUBLISH what they are currently about to SELECT? It certainly > doesn't seem intuitive to me, which is

Re: [HACKERS] logical replication access control patches

2017-03-10 Thread Peter Eisentraut
On 2/27/17 22:10, Stephen Frost wrote: > Peter, > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 2/18/17 18:06, Stephen Frost wrote: >>> I'm not convinced that it really makes sense to have PUBLICATION of a >>> table be independent from the rights an owner of a table has.

Re: [HACKERS] logical replication access control patches

2017-03-03 Thread Stephen Frost
* Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote: > On 28/02/17 04:10, Stephen Frost wrote: > > Peter, > > > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > >> On 2/18/17 18:06, Stephen Frost wrote: > >>> I'm not convinced that it really makes sense to have PUBLICATION of a >

Re: [HACKERS] logical replication access control patches

2017-02-27 Thread Petr Jelinek
On 28/02/17 04:10, Stephen Frost wrote: > Peter, > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 2/18/17 18:06, Stephen Frost wrote: >>> I'm not convinced that it really makes sense to have PUBLICATION of a >>> table be independent from the rights an owner of a table has.

Re: [HACKERS] logical replication access control patches

2017-02-27 Thread Stephen Frost
Peter, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 2/18/17 18:06, Stephen Frost wrote: > > I'm not convinced that it really makes sense to have PUBLICATION of a > > table be independent from the rights an owner of a table has. We don't > > allow other ALTER commands on

Re: [HACKERS] logical replication access control patches

2017-02-25 Thread Peter Eisentraut
On 2/18/17 18:06, Stephen Frost wrote: > I'm not convinced that it really makes sense to have PUBLICATION of a > table be independent from the rights an owner of a table has. We don't > allow other ALTER commands on objects based on GRANT'able rights, in > general, so I'm not really sure that it

Re: [HACKERS] logical replication access control patches

2017-02-18 Thread Stephen Frost
Peter, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > 0002 Add PUBLICATION privilege > > Add a new privilege kind to tables to determine whether they can be > added to a publication. I'm not convinced that it really makes sense to have PUBLICATION of a table be independent from