Execute event trigger under superuser #110
Comments
|
|
|
I don't think that would work.. we need to skip user-defined event triggers for superusers and reserved_roles. Returning |
|
Yeah let's go with your approach 👍 I'd even go further and enforce event triggers to have the same owner as the event trigger function. We'd also need to enforce it on |
|
Ok cool. Since we have a blocker for that solution as mentioned above, how about if we just release without solving this issue for now? I think event triggers should still be useful in the current form. |
That might be problematic? Some of our internal event triggers would get skipped (pg_graphql, pg_net, pg_cron). Actually I just realized the skipping event trigger execution on Let's test this on a custom AMI first - we may be able to use an alternate mechanism for these internal event triggers (e.g. using extensions' after-create script) |
No, those should work fine. Right now the superuser event triggers execute normal for regular users. They're only skipped for superusers (which customers never use).
If we do want to solve this issue now, wouldn't it be better to fix supabase/postgres#1437 instead? It seems like a serious issue that needs to be resolved anyway.
Could you elaborate on this? It looked OK to me to skip event triggers on CREATE EXTENSION, this from the perspective of pg_graphql and postgREST evtrigs which reload their schema cache and don't need to look at extension objects. |
Skipping pg_graphql event trigger would be a problem because that's where we replace the placeholder function and perform grants. Same with pg_net and pg_cron. |
Closes supabase#110. superuser evtrigs now work as usual with the exception of `CREATE EXTENSION`. Which will now fire superuser evtrigs, but not regular user evtrigs. This is because how `CREATE EXTENSION` works under supautils (switchs to superuser before executing CREATE EXTENSION).
|
Implemented the above on #115 as agreed but without:
While it does make sense, I'm not sure if it's really needed. |
Closes supabase#110. superuser evtrigs now work as usual with the exception of `CREATE EXTENSION`. Which will now fire superuser evtrigs, but not regular user evtrigs. This is because how `CREATE EXTENSION` works under supautils (switchs to superuser before executing CREATE EXTENSION).
Problem
When
supautilsis enabled for superusers, this will cause them to skip event triggers. This is to prevent privilege escalation due to user defined event triggers (#98), which is desirable.However this will also happen for superuser owned event triggers. So if we're logged in as superuser, and we create an event trigger it won't fire. Which is surprising behavior.
Solution
We already differentiate between user-owned event triggers and superuser-owned event triggers. An solution would be:
Implementation
Due to PostgreSQL C API limitations, it's not possible to know inside the
fmgr_hookwhich event trigger fired the function. So we cannot get the "owner" of the event trigger by intercepting the function execution.However, we can enforce that:
This would be enough to implement the above solution in the
fmgr_hook.Blocker
While the above should work, the Supabase plataform currently has a bug which would be incompatible with the above design , see
grant_pg_cron_accesson supabase/postgres#1437 (essentially a superuser event trigger is executing a user function). Once that is fixed, this can be implemented safely.Workaround
A workaround is to not enable
supautilson superusers. Although in most casessupautilswill be applied cluster-wide.@soedirgo Any thoughts?
The text was updated successfully, but these errors were encountered: