Add new predefined role pg_create_subscription.

This role can be granted to non-superusers to allow them to issue CREATE SUBSCRIPTION. The non-superuser must additionally have CREATE permissions on the database in which the subscription is to be created. Most forms of ALTER SUBSCRIPTION, including ALTER SUBSCRIPTION .. SKIP, now require only that the role performing the operation own the subscription, or inherit the privileges of the owner. However, to use ALTER SUBSCRIPTION ... RENAME or ALTER SUBSCRIPTION ... OWNER TO, you also need CREATE permission on the database. This is similar to what we do for schemas. To change the owner of a schema, you must also have permission to SET ROLE to the new owner, similar to what we do for other object types. Non-superusers are required to specify a password for authentication and the remote side must use the password, similar to what is required for postgres_fdw and dblink. A superuser who wants a non-superuser to own a subscription that does not rely on password authentication may set the new password_required=false property on that subscription. A non-superuser may not set password_required=false and may not modify a subscription that already has password_required=false. This new password_required subscription property works much like the eponymous postgres_fdw property. In both cases, the actual semantics are that a password is not required if either (1) the property is set to false or (2) the relevant user is the superuser. Patch by me, reviewed by Andres Freund, Jeff Davis, Mark Dilger, and Stephen Frost (but some of those people did not fully endorse all of the decisions that the patch makes). Discussion: http://postgr.es/m/CA+TgmoaDH=0Xj7OBiQnsHTKcF2c4L+=gzPBUKSJLh8zed2_+Dg@mail.gmail.com
2025-07-27 12:41:57 +03:00 · 2023-03-30 11:37:19 -04:00
parent b0e9e4d76c
commit c3afe8cf5a
21 changed files with 384 additions and 60 deletions
--- a/doc/src/sgml/ref/alter_subscription.sgml
+++ b/doc/src/sgml/ref/alter_subscription.sgml
@ -46,10 +46,11 @@ ALTER SUBSCRIPTION <replaceable class="parameter">name</replaceable> RENAME TO <

  <para>
   You must own the subscription to use <command>ALTER SUBSCRIPTION</command>.
-   To alter the owner, you must be able to <literal>SET ROLE</literal> to the
-   new owning role.  The new owner has to be a superuser.
-   (Currently, all subscription owners must be superusers, so the owner checks
-   will be bypassed in practice.  But this might change in the future.)
+   To rename a subscription or alter the owner, you must have
+   <literal>CREATE</literal> permission on the database. In addition,
+   to alter the owner, you must be able to <literal>SET ROLE</literal> to the
+   new owning role. If the subscription has
+   <literal>password_required=false</literal>, only superusers can modify it.
  </para>

  <para>
@ -223,7 +224,9 @@ ALTER SUBSCRIPTION <replaceable class="parameter">name</replaceable> RENAME TO <
      <link linkend="sql-createsubscription-with-binary"><literal>binary</literal></link>,
      <link linkend="sql-createsubscription-with-streaming"><literal>streaming</literal></link>,
      <link linkend="sql-createsubscription-with-disable-on-error"><literal>disable_on_error</literal></link>,
-      and <link linkend="sql-createsubscription-with-origin"><literal>origin</literal></link>.
+      <link linkend="sql-createsubscription-with-password-required"><literal>password_required</literal></link>, and
+      <link linkend="sql-createsubscription-with-origin"><literal>origin</literal></link>.
+      Only a superuser can set <literal>password_required = false</literal>.
     </para>
    </listitem>
   </varlistentry>
@ -244,8 +247,7 @@ ALTER SUBSCRIPTION <replaceable class="parameter">name</replaceable> RENAME TO <
      finishes a transaction, the LSN (stored in
      <structname>pg_subscription</structname>.<structfield>subskiplsn</structfield>)
      is cleared.  See <xref linkend="logical-replication-conflicts"/> for
-      the details of logical replication conflicts.  Using this command requires
-      superuser privilege.
+      the details of logical replication conflicts.
     </para>

     <para>
--- a/doc/src/sgml/ref/create_subscription.sgml
+++ b/doc/src/sgml/ref/create_subscription.sgml
@ -33,7 +33,8 @@ CREATE SUBSCRIPTION <replaceable class="parameter">subscription_name</replaceabl

  <para>
   <command>CREATE SUBSCRIPTION</command> adds a new logical-replication
-   subscription.  The subscription name must be distinct from the name of
+   subscription.  The user that creates a subscription becomes the owner
+   of the subscription. The subscription name must be distinct from the name of
   any existing subscription in the current database.
  </para>

@ -49,6 +50,12 @@ CREATE SUBSCRIPTION <replaceable class="parameter">subscription_name</replaceabl
   unless the subscription is initially disabled.
  </para>

+  <para>
+   To be able to create a subscription, you must have the privileges of the
+   the <literal>pg_create_subscription</literal> role, as well as
+   <literal>CREATE</literal> privileges on the current database.
+  </para>
+
  <para>
   Additional information about subscriptions and logical replication as a
   whole is available at <xref linkend="logical-replication-subscription"/> and
@ -365,6 +372,19 @@ CREATE SUBSCRIPTION <replaceable class="parameter">subscription_name</replaceabl
         </para>
        </listitem>
       </varlistentry>
+
+       <varlistentry>
+        <term><literal>password_required</literal> (<type>string</type>)</term>
+        <listitem>
+         <para>
+          Specifies whether connections to the publisher made as a result
+          of this subscription must use password authentication. This setting
+          is ignored when the subscription is owned by a superuser.
+          The default is <literal>true</literal>. Only superusers can set
+          this value to <literal>false</literal>.
+         </para>
+        </listitem>
+       </varlistentry>
      </variablelist></para>

    </listitem>
--- a/doc/src/sgml/ref/drop_subscription.sgml
+++ b/doc/src/sgml/ref/drop_subscription.sgml
@ -34,7 +34,7 @@ DROP SUBSCRIPTION [ IF EXISTS ] <replaceable class="parameter">name</replaceable
  </para>

  <para>
-   A subscription can only be dropped by a superuser.
+   To execute this command the user must be the owner of the subscription.
  </para>

  <para>
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@ -699,6 +699,12 @@ DROP ROLE doomed_role;
       <entry>Allow use of connection slots reserved via
       <xref linkend="guc-reserved-connections"/>.</entry>
      </row>
+      <row>
+       <entry>pg_create_subscription</entry>
+       <entry>Allow users with <literal>CREATE</literal> permission on the
+       database to issue
+       <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
+      </row>
     </tbody>
    </tgroup>
   </table>