search

pgadmin-org / pgadmin4

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
https://www.pgadmin.org
Other
2.49k stars 650 forks source link

pldebugger- superuser restriction for breakpoint (RM #5549) #3593

Open dpage opened 4 years ago

dpage commented 4 years ago

Issue migrated from Redmine: https://redmine.postgresql.org/issues/5549 Originally created by Mohini Ogale at 2020-05-22 02:39:13 UTC.

Hi All,

This is a feature requet regarding allowing non-superuser to set global breakpoints.

Recently, I test the pldebugger extension (PolarDB),and find a problem on set global breakpoint. When I use pgadmin to set a global breakpoint on procdure, there is no click to set it, like this.

I find the problem is current user is not a superuser, the pgadmin code is (web/pgadmin/tools/debugger/init.py):

and the "is_superuser" is judged from (web/pgadmin/utils/driver/psycopg2/connection.py)

so for non-superuser,it can not set global breakpoint. But I want to know why non-superuser can not set global breakpoint. I read the code of pldebugger, global breakpoint will insert a record in the breakpoint hash table, it may not have some safety problems. Also, I compared with AWS aurora-postgresql and rds-pg. In AWS, it has not support the pldebugger, but it have the same problem.

Aurora postgresql

Aws rds-pg

AWS dosen't support superuser to login, it use "rds_superuser" instead of superuser. The usage is the same as PolarDB Postgresql.

So, in pgadmin, if it can remove the "is_superuser" restrictions, because the limits can be set in pldebugger function pldbg_set_global_breakpoint with superuser() postgresql kernel function. The authority can be set in database kernel.

Non-superusers cannot set global breakpoints because:

a) It'll pause an in-progress transaction on what may be a production system. b) It would allow the user to modify data of another user, by injecting values into the other users procedures. c) It may allow data to be leaked that the debugging user wouldn't otherwise have access to.

The internal query for the user "polar_superuser" returns non-superuser. Hence, equesting for a "set global breakpoint" click in pgadmin. I think change the pgadmin option "set breakpoint" will not allow the non-superuser to use the function. There is no risks as you mentioned for all superusers and non-superusers. Because all the permissions can be limited in pldebugger, not in pgadmin.

This is the code "set breakpoint" function in pldebugger, not in pgadmin. The permissions have been limited by "superuser()", so for non-superuser, they can not use this function.

If I changed the code like this, for superuser, they can not user "set breakpoint", too.

For users who use the pldebugger, they can change the function "pldbg_set_global_breakpoint" in pldebugger to support their superuser or non-superuser to use "set breakpoint". But the pgadmin doesn't not support the non-superuser to use "set breakpoint", it is not necessary, because the non-superuser permissions can be limited in pldebugger code.

dpage commented 4 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5549#note-1 Originally created by Akshay Joshi at 2020-05-22 10:23:03 UTC.

Redmine ticket header update:

Name Old Value New Value
Sprint changed Ready