On Mon, Jun 7, 2021 at 2:38 PM Amit Kapila <amit.kapil...@gmail.com> wrote:
>
> On Thu, Jun 3, 2021 at 10:39 PM Tom Lane <t...@sss.pgh.pa.us> wrote:
> >
> > "Euler Taveira" <eu...@eulerto.com> writes:
> > > I was checking the GRANT on pg_subscription and noticed that the command
> > > is not
> > > correct. There is a comment that says "All columns of pg_subscription
> > > except
> > > subconninfo are readable". However, there are columns that aren't
> > > included: oid
> > > and subsynccommit. It seems an oversight in the commits 6f236e1eb8c and
> > > 887227a1cc8.
> >
> > Ugh.
> >
> > > There are monitoring tools and data collectors that aren't using a
> > > superuser to read catalog information (I usually recommend using
> > > pg_monitor).
> > > Hence, you cannot join pg_subscription with relations such as
> > > pg_subscription_rel or pg_stat_subscription because column oid has no
> > > column-level privilege. I'm attaching a patch to fix it (indeed, 2 patches
> > > because of additional columns for v14). We should add instructions in the
> > > minor
> > > version release notes too.
> >
> > I agree with fixing this in HEAD. But given that this has been wrong
> > since v10 with zero previous complaints, I doubt that it is worth the
> > complication of trying to do something about it in the back branches.
> > Maybe we could just adjust the docs there, instead.
> >
>
> This sounds reasonable to me. Euler, can you provide the doc updates
> for back-branches?
Attached patch has the documentation changes for the back-branches. As
there is no specific reason for this, I have just mentioned
"Additionally normal users can't access columns oid and
subsynccommit." The same patch applies till V10 branch.
Regards,
Vignesh
From 37f9fc48baa2c233d16ee8ac1e8547680cd05b04 Mon Sep 17 00:00:00 2001
From: vignesh <vignes...@gmail.com>
Date: Mon, 28 Jun 2021 10:06:58 +0530
Subject: [PATCH v1] Documentation for normal users not having permission for
columns oid and subsynccommit in pg_subscription catalog table.
Documentation for normal users not having permission for columns oid
and subsynccommit in pg_subscription catalog table.
---
doc/src/sgml/catalogs.sgml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 4dff3f60a2..f6b5c2e562 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -7457,7 +7457,9 @@ SCRAM-SHA-256$<replaceable><iteration count></replaceable>:<replaceable>&l
<para>
Access to the column <structfield>subconninfo</structfield> is revoked from
- normal users, because it could contain plain-text passwords.
+ normal users, because it could contain plain-text passwords. Additionally
+ normal users can't access columns <structfield>oid</structfield> and
+ <structfield>subsynccommit</structfield>.
</para>
<table>
--
2.25.1
