git.postgresql.org Git - users/rhaas/postgres.git/commit

author	Jeff Davis <jdavis@postgresql.org>
	Sat, 8 Jan 2022 01:38:20 +0000 (17:38 -0800)
committer	Jeff Davis <jdavis@postgresql.org>
	Sat, 8 Jan 2022 01:40:56 +0000 (17:40 -0800)
commit	a2ab9c06ea15fbcb2bfde570986a06b37f52bcca
tree	8fdee8c9df638b5e0c6850a16ffa2d5677866189	tree
parent	d0d62262d34154965511cfda6b98609d27752d5a	commit \| diff

Respect permissions within logical replication.

Prevent logical replication workers from performing insert, update,
delete, truncate, or copy commands on tables unless the subscription
owner has permission to do so.

Prevent subscription owners from circumventing row-level security by
forbidding replication into tables with row-level security policies
which the subscription owner is subject to, without regard to whether
the policy would ordinarily allow the INSERT, UPDATE, DELETE or
TRUNCATE which is being replicated. This seems sufficient for now, as
superusers, roles with bypassrls, and target table owners should still
be able to replicate despite RLS policies. We can revisit the
question of applying row-level security policies on a per-row basis if
this restriction proves too severe in practice.

Author: Mark Dilger
Reviewed-by: Jeff Davis, Andrew Dunstan, Ronan Dunklau
Discussion: https://postgr.es/m/9DFC88D3-1300-4DE8-ACBC-4CEF84399A53%40enterprisedb.com

doc/src/sgml/logical-replication.sgml		diff \| blob \| blame \| history
src/backend/commands/subscriptioncmds.c		diff \| blob \| blame \| history
src/backend/replication/logical/tablesync.c		diff \| blob \| blame \| history
src/backend/replication/logical/worker.c		diff \| blob \| blame \| history
src/test/perl/PostgreSQL/Test/Cluster.pm		diff \| blob \| blame \| history
src/test/subscription/t/027_nosuperuser.pl	[new file with mode: 0644]	blob