Re: First draft of the PG 15 release notes

On Tue, May 10, 2022 at 03:12:18PM -0700, Mark Dilger wrote:
> 
> 
> > On May 10, 2022, at 8:44 AM, Bruce Momjian <bruce@momjian.us> wrote:
> > 
> > I have completed the first draft of the PG 15 release notes and you can
> > see the results here
> 
> 
> Thanks, Bruce!  This release note:
> 
>     • Prevent logical replication into tables where the subscription owner is subject to the table's row-level
securitypolicies (Mark Dilger)
 
> 
> ... should mention, independent of any RLS considerations, subscriptions are now applied under the privilege of the
subscriptionowner.  I don't think we can fit it in the release note, but the basic idea is that:
 
> 
>     CREATE SUBSCRIPTION ... CONNECTION '...' PUBLICATION ... WITH (enabled = false);
>     ALTER SUBSCRIPTION ... OWNER TO nonsuperuser_whoever;
>     ALTER SUBSCRIPTION ... ENABLE;
> 
> can be used to replicate a subscription without sync or apply workers operating as superuser.  That's the main
advantage. Previously, subscriptions always ran with superuser privilege, which creates security concerns if the
publisheris malicious (or foolish).  Avoiding any unintentional bypassing of RLS was just a necessary detail to close
thesecurity loophole, not the main point of the security enhancement.
 

Oh, interesting.  New text:

    <!--
    Author: Jeff Davis <jdavis@postgresql.org>
    2022-01-07 [a2ab9c06e] Respect permissions within logical replication.
    -->
    
    <listitem>
    <para>
    Allow logical replication to run as the owner of the publication (Mark Dilger)
    </para>
    
    <para>
    Because row-level security policies are not checked, only
    superusers, roles with bypassrls, and table owners can replicate
    into tables with row-level security policies.
    </para>
    </listitem>

How is this?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Indecision is a decision.  Inaction is an action.  Mark Batterson