On 10/20/21 14:40, Mark Dilger wrote:
> These patches have been split off the now deprecated monolithic "Delegating superuser tasks to new security roles"
threadat [1].
>
> The purpose of these patches is to allow non-superuser subscription owners without risk of them overwriting tables
theylack privilege to write directly. This both allows subscriptions to be managed by non-superusers, and protects
serverswith subscriptions from malicious activity on the publisher side.
>
> [1] https://www.postgresql.org/message-id/flat/F9408A5A-B20B-42D2-9E7F-49CD3D1547BC%40enterprisedb.com
These patches look good on their face. The code changes are very
straightforward.
w.r.t. this:
+ On the subscriber, the subscription owner's privileges are
re-checked for
+ each change record when applied, but beware that a change of
ownership for a
+ subscription may not be noticed immediately by the replication workers.
+ Changes made on the publisher may be applied on the subscriber as
+ the old owner. In such cases, the old owner's privileges will be
the ones
+ that matter. Worse still, it may be hard to predict when replication
+ workers will notice the new ownership. Subscriptions created
disabled and
+ only enabled after ownership has been changed will not be subject to
this
+ race condition.
maybe we should disable the subscription before making such a change and
then re-enable it?
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com