On 10/20/21 14:40, Mark Dilger wrote: > These patches have been split off the now deprecated monolithic "Delegating > superuser tasks to new security roles" thread at [1]. > > The purpose of these patches is to allow non-superuser subscription owners > without risk of them overwriting tables they lack privilege to write > directly. This both allows subscriptions to be managed by non-superusers, and > protects servers with subscriptions from malicious activity on the publisher > side. > > [1] > https://www.postgresql.org/message-id/flat/F9408A5A-B20B-42D2-9E7F-49CD3D1547BC%40enterprisedb.com
These patches look good on their face. The code changes are very straightforward. w.r.t. this: + On the subscriber, the subscription owner's privileges are re-checked for + each change record when applied, but beware that a change of ownership for a + subscription may not be noticed immediately by the replication workers. + Changes made on the publisher may be applied on the subscriber as + the old owner. In such cases, the old owner's privileges will be the ones + that matter. Worse still, it may be hard to predict when replication + workers will notice the new ownership. Subscriptions created disabled and + only enabled after ownership has been changed will not be subject to this + race condition. maybe we should disable the subscription before making such a change and then re-enable it? cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
