Re: row filtering for logical replication
От | Petr Jelinek |
---|---|
Тема | Re: row filtering for logical replication |
Дата | |
Msg-id | 7bf075c2-7538-e5a4-d4f7-d1a51544dba5@2ndquadrant.com обсуждение исходный текст |
Ответ на | Re: row filtering for logical replication (Stephen Frost <sfrost@snowman.net>) |
Ответы |
Re: row filtering for logical replication
(Euler Taveira <euler@timbira.com.br>)
Re: row filtering for logical replication (Stephen Frost <sfrost@snowman.net>) |
Список | pgsql-hackers |
On 23/11/2018 03:02, Stephen Frost wrote: > Greetings, > > * Euler Taveira (euler@timbira.com.br) wrote: >> 2018-02-28 21:54 GMT-03:00 Craig Ringer <craig@2ndquadrant.com>: >>> Good idea. I haven't read this yet, but one thing to make sure you've >>> handled is limiting the clause to referencing only the current tuple and the >>> catalogs. user-catalog tables are OK, too, anything that is >>> RelationIsAccessibleInLogicalDecoding(). >>> >>> This means only immutable functions may be invoked, since a stable or >>> volatile function might attempt to access a table. And views must be >>> prohibited or recursively checked. (We have tree walkers that would help >>> with this). >>> >>> It might be worth looking at the current logic for CHECK expressions, since >>> the requirements are similar. In my opinion you could safely not bother with >>> allowing access to user catalog tables in the filter expressions and limit >>> them strictly to immutable functions and the tuple its self. >> >> IIRC implementation is similar to RLS expressions. I'll check all of >> these rules. > > Given the similarity to RLS and the nearby discussion about allowing > non-superusers to create subscriptions, and probably publications later, > I wonder if we shouldn't be somehow associating this with RLS policies > instead of having the publication filtering be entirely independent.. > I do see the appeal here, if you consider logical replication to be a streaming select it probably applies well. But given that this is happening inside output plugin which does not have full executor setup and has catalog-only snapshot I am not sure how feasible it is to try to merge these two things. As per my previous email it's possible that we'll have to be stricter about what we allow in expressions here. The other issue with merging this is that the use-case for filtering out the data in logical replication is not necessarily about security, but often about sending only relevant data. So it makes sense to have filter on publication without RLS enabled on table and if we'd force that, we'd limit usefulness of this feature. We definitely want to eventually create subscriptions as non-superuser but that has zero effect on this as everything here is happening on different server than where subscription lives (we already allow creation of publications with just CREATE privilege on database and ownership of the table). -- Petr Jelinek http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
В списке pgsql-hackers по дате отправления:
Предыдущее
От: Arthur ZakirovДата:
Сообщение: Re: Add extension options to control TAP and isolation tests