> 20 марта 2019 г., в 21:46, Robert Haas <robertmh...@gmail.com> написал(а):
>
> On Wed, Mar 20, 2019 at 5:39 AM Evgeniy Efimkin <efim...@yandex-team.ru>
> wrote:
>> Hi!
>>> Currently, user with pg_subscription_users can create subscription into any
>>> system table, can't they?
>>> We certainly need to change it to more secure way.
>> No, you can't add system tables to publication. In new patch i add
>> privileges checks on target table, non superuser can't create/refresh
>> subscription if he don't have INSERT, UPDATE, DELETE and TRUNCATE privileges.
>
> ....
>
> I think we should view this permission as "you can create
> subscriptions, plain and simple".
That sounds good.
From my POV, the purpose of the patch is to allow users to transfer their
database via logical replication. Without superuser privileges (e.g. to the
managed cloud with vanilla postgres).
But the role effectively allows inserts to any table, this can be escalated to
superuser. What is the best way to deal with it?
Best regards, Andrey Borodin.
