> 20 марта 2019 г., в 21:46, Robert Haas <robertmhaas@gmail.com> написал(а):
>
> On Wed, Mar 20, 2019 at 5:39 AM Evgeniy Efimkin <efimkin@yandex-team.ru> wrote:
>> Hi!
>>> Currently, user with pg_subscription_users can create subscription into any system table, can't they?
>>> We certainly need to change it to more secure way.
>> No, you can't add system tables to publication. In new patch i add privileges checks on target table, non superuser
can'tcreate/refresh subscription if he don't have INSERT, UPDATE, DELETE and TRUNCATE privileges.
>
> ....
>
> I think we should view this permission as "you can create
> subscriptions, plain and simple".
That sounds good.
From my POV, the purpose of the patch is to allow users to transfer their database via logical replication. Without
superuserprivileges (e.g. to the managed cloud with vanilla postgres).
But the role effectively allows inserts to any table, this can be escalated to superuser. What is the best way to deal
withit?
Best regards, Andrey Borodin.