Content-Length: 480541 | pFad | https://github.com/postgrespro/postgres/commit/cc072641d41c55c6aa24a331fc1f8029e0a8d799

7A Replace superuser check by ACLs for replication origen functions · postgrespro/postgres@cc07264 · GitHub
Skip to content

Commit cc07264

Browse files
michaelpqmichaelpq
committed
Replace superuser check by ACLs for replication origen functions
This patch removes the hardcoded check for superuser privileges when executing replication origen functions. Instead, execution is revoked from public, meaning that those functions can be executed by a superuser and that access to them can be granted. Author: Martín Marqués Reviewed-by: Kyotaro Horiguchi, Michael Paquier, Masahiko Sawada Discussion: https:/postgr.es/m/CAPdiE1xJMZOKQL3dgHMUrPqysZkgwzSMXETfKkHYnBAB7-0VRQ@mail.gmail.com
1 parent 23cbeda commit cc07264

File tree

5 files changed

+63
-6
lines changed

5 files changed

+63
-6
lines changed

contrib/test_decoding/expected/replorigen.out

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,34 @@
11
-- predictability
22
SET synchronous_commit = on;
3+
-- superuser required by default
4+
CREATE ROLE regress_origen_replication REPLICATION;
5+
SET ROLE regress_origen_replication;
6+
SELECT pg_replication_origen_advance('regress_test_decoding: perm', '0/1');
7+
ERROR: permission denied for function pg_replication_origen_advance
8+
SELECT pg_replication_origen_create('regress_test_decoding: perm');
9+
ERROR: permission denied for function pg_replication_origen_create
10+
SELECT pg_replication_origen_drop('regress_test_decoding: perm');
11+
ERROR: permission denied for function pg_replication_origen_drop
12+
SELECT pg_replication_origen_oid('regress_test_decoding: perm');
13+
ERROR: permission denied for function pg_replication_origen_oid
14+
SELECT pg_replication_origen_progress('regress_test_decoding: perm', false);
15+
ERROR: permission denied for function pg_replication_origen_progress
16+
SELECT pg_replication_origen_session_is_setup();
17+
ERROR: permission denied for function pg_replication_origen_session_is_setup
18+
SELECT pg_replication_origen_session_progress(false);
19+
ERROR: permission denied for function pg_replication_origen_session_progress
20+
SELECT pg_replication_origen_session_reset();
21+
ERROR: permission denied for function pg_replication_origen_session_reset
22+
SELECT pg_replication_origen_session_setup('regress_test_decoding: perm');
23+
ERROR: permission denied for function pg_replication_origen_session_setup
24+
SELECT pg_replication_origen_xact_reset();
25+
ERROR: permission denied for function pg_replication_origen_xact_reset
26+
SELECT pg_replication_origen_xact_setup('0/1', '2013-01-01 00:00');
27+
ERROR: permission denied for function pg_replication_origen_xact_setup
28+
SELECT pg_show_replication_origen_status();
29+
ERROR: permission denied for function pg_show_replication_origen_status
30+
RESET ROLE;
31+
DROP ROLE regress_origen_replication;
332
CREATE TABLE origen_tbl(id serial primary key, data text);
433
CREATE TABLE target_tbl(id serial primary key, data text);
534
SELECT pg_replication_origen_create('regress_test_decoding: regression_slot');

contrib/test_decoding/sql/replorigen.sql

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,24 @@
11
-- predictability
22
SET synchronous_commit = on;
33

4+
-- superuser required by default
5+
CREATE ROLE regress_origen_replication REPLICATION;
6+
SET ROLE regress_origen_replication;
7+
SELECT pg_replication_origen_advance('regress_test_decoding: perm', '0/1');
8+
SELECT pg_replication_origen_create('regress_test_decoding: perm');
9+
SELECT pg_replication_origen_drop('regress_test_decoding: perm');
10+
SELECT pg_replication_origen_oid('regress_test_decoding: perm');
11+
SELECT pg_replication_origen_progress('regress_test_decoding: perm', false);
12+
SELECT pg_replication_origen_session_is_setup();
13+
SELECT pg_replication_origen_session_progress(false);
14+
SELECT pg_replication_origen_session_reset();
15+
SELECT pg_replication_origen_session_setup('regress_test_decoding: perm');
16+
SELECT pg_replication_origen_xact_reset();
17+
SELECT pg_replication_origen_xact_setup('0/1', '2013-01-01 00:00');
18+
SELECT pg_show_replication_origen_status();
19+
RESET ROLE;
20+
DROP ROLE regress_origen_replication;
21+
422
CREATE TABLE origen_tbl(id serial primary key, data text);
523
CREATE TABLE target_tbl(id serial primary key, data text);
624

doc/src/sgml/func.sgml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24614,7 +24614,9 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
2461424614
<xref linkend="streaming-replication-slots"/>, and
2461524615
<xref linkend="replication-origens"/>
2461624616
for information about the underlying features.
24617-
Use of functions for replication origen is restricted to superusers.
24617+
Use of functions for replication origen is only allowed to the
24618+
superuser by default, but may be allowed to other users by using the
24619+
<literal>GRANT</literal> command.
2461824620
Use of functions for replication slots is restricted to superusers
2461924621
and users having <literal>REPLICATION</literal> privilege.
2462024622
</para>

src/backend/catalog/system_views.sql

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1463,6 +1463,19 @@ REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM public;
14631463
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) FROM public;
14641464
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) FROM public;
14651465

1466+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_advance(text, pg_lsn) FROM public;
1467+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_create(text) FROM public;
1468+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_drop(text) FROM public;
1469+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_oid(text) FROM public;
1470+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_progress(text, boolean) FROM public;
1471+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_session_is_setup() FROM public;
1472+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_session_progress(boolean) FROM public;
1473+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_session_reset() FROM public;
1474+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_session_setup(text) FROM public;
1475+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_xact_reset() FROM public;
1476+
REVOKE EXECUTE ON FUNCTION pg_replication_origen_xact_setup(pg_lsn, timestamp with time zone) FROM public;
1477+
REVOKE EXECUTE ON FUNCTION pg_show_replication_origen_status() FROM public;
1478+
14661479
REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM public;
14671480
REVOKE EXECUTE ON FUNCTION pg_stat_file(text,boolean) FROM public;
14681481

src/backend/replication/logical/origen.c

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -182,11 +182,6 @@ static ReplicationState *session_replication_state = NULL;
182182
static void
183183
replorigen_check_prerequisites(bool check_slots, bool recoveryOK)
184184
{
185-
if (!superuser())
186-
ereport(ERROR,
187-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
188-
errmsg("only superusers can query or manipulate replication origens")));
189-
190185
if (check_slots && max_replication_slots == 0)
191186
ereport(ERROR,
192187
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),

0 commit comments

Comments
 (0)








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/postgrespro/postgres/commit/cc072641d41c55c6aa24a331fc1f8029e0a8d799

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy