AWS AmazonRDS documentation change
Summary
Reorganized documentation structure by moving configuration details and 'Turning off support' sections lower in the document. Modified SQL examples to explicitly use pg_catalog schema in function calls. Removed redundant section references.
Security assessment
The changes primarily involve documentation restructuring and adding explicit schema qualifications (pg_catalog) to SQL functions. While explicit schema usage can help prevent function hijacking attacks, there is no explicit mention of a security vulnerability being addressed. The modifications appear to be general documentation improvements rather than direct responses to security issues.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/Aurora_delegated_ext.md b/AmazonRDS/latest/AuroraUserGuide/Aurora_delegated_ext.md index d05d6b41f..a5374be74 100644 --- a//AmazonRDS/latest/AuroraUserGuide/Aurora_delegated_ext.md +++ b//AmazonRDS/latest/AuroraUserGuide/Aurora_delegated_ext.md @@ -79 +79 @@ You need not restart the database after changing the `rds.allowed_delegated_exte - 3. Allow access to the delegated user to objects created during the extension creation process – Certain extensions create objects that require additional permissions to be granted before the user with `rds_extension` role can access them. The `rds_superuser` must grant the delegated user access to those objects. One of the options is to use an event trigger to automatically grant permission to the delegated user. For more information, refer to the event trigger example in Turning off the support for the delegated extension. + 3. Allow access to the delegated user to objects created during the extension creation process – Certain extensions create objects that require additional permissions to be granted before the user with `rds_extension` role can access them. The `rds_superuser` must grant the delegated user access to those objects. One of the options is to use an event trigger to automatically grant permission to the delegated user. @@ -81,44 +81 @@ You need not restart the database after changing the `rds.allowed_delegated_exte - - - -## Configuration used in Aurora delegated extension support for PostgreSQL - -Configuration Name | Description | Default Value | Notes | Who can modify or grant permission ----|---|---|---|--- -`rds.allowed_delegated_extensions` | This parameter limits the extensions a rds_extension role can manage in a database. It must be a subset of rds.allowed_extensions. | empty string | - - * By default, this parameter is empty string, which means that no extensions have been delegated to users with `rds_extension`. - * Any supported extension can be added if the user has permission to do so. To do this, set the `rds.allowed_delegated_extensions` parameter to a string of comma-separated extension names. By adding a list of extensions to this parameter, you explicitly identify the extensions that the user with the `rds_extension` role can install. - * When set to `*`, it means that all extensions listed in `rds_allowed_extensions` are delegated to users with `rds_extension` role. - -To learn more about setting up this parameter, see Turning on delegate extension support to a user.| rds_superuser -`rds.allowed_extensions`| This parameter lets the customer limit the extensions that can be installed in the Aurora PostgreSQL DB instance. For more information, see [Restricting installation of PostgreSQL extensions ](https://docs.aws.amazon.com//AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.Restriction)| "*"| By default, this parameter is set to "*", which means that all extensions supported on RDS for PostgreSQL and Aurora PostgreSQL are allowed to be created by users with necessary privileges. Empty means no extensions can be installed in the Aurora PostgreSQL DB instance.| administrator -`rds-delegated_extension_allow_drop_cascade`| This parameter controls the ability for user with `rds_extension` to drop the extension using a cascade option.| off | By default, `rds-delegated_extension_allow_drop_cascade` is set to `off`. This means that users with `rds_extension` are not allowed to drop an extension using the cascade option. To grant that ability, the `rds.delegated_extension_allow_drop_cascade` parameter should be set to `on`.| rds_superuser - -## Turning off the support for the delegated extension - -###### Turning off partially - -The delegated users can’t create new extensions but can still update existing extensions. - - * Reset `rds.allowed_delegated_extensions` to the default value in the DB cluster parameter group. - - * Use the following command at the database level: - - alter database database_name reset rds.allowed_delegated_extensions; - - * Use the following command at the user level: - - alter user user_name reset rds.allowed_delegated_extensions; - - - - -###### Turning off fully - -Revoking `rds_extension` role from a user will revert the user to standard permissions. The user can no longer create, update, or drop extensions. - - - postgres => revoke rds_extension from user_name; - -###### Example of event trigger +Example of event trigger @@ -145 +101 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - FOR r IN SELECT * FROM pg_event_trigger_ddl_commands() + FOR r IN SELECT * FROM pg_catalog.pg_event_trigger_ddl_commands() @@ -164,3 +120,3 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_gaz TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_lex TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_rules TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_gaz TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_lex TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_rules TO %I WITH GRANT OPTION;', schemaname, databaseowner); @@ -168 +124 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('ALTER TEXT SEARCH DICTIONARY %I.intdict OWNER TO %I;', schemaname, databaseowner); + EXECUTE pg_catalog.format('ALTER TEXT SEARCH DICTIONARY %I.intdict OWNER TO %I;', schemaname, databaseowner); @@ -170,3 +126,3 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config_sub TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.custom_time_partitions TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config_sub TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.custom_time_partitions TO %I WITH GRANT OPTION;', schemaname, databaseowner); @@ -174,4 +130,4 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON ALL TABLES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT USAGE ON SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON ALL TABLES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT USAGE ON SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); @@ -187,0 +144,42 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha + + +## Configuration used in Aurora delegated extension support for PostgreSQL + +Configuration Name | Description | Default Value | Notes | Who can modify or grant permission +---|---|---|---|--- +`rds.allowed_delegated_extensions` | This parameter limits the extensions a rds_extension role can manage in a database. It must be a subset of rds.allowed_extensions. | empty string | + + * By default, this parameter is empty string, which means that no extensions have been delegated to users with `rds_extension`. + * Any supported extension can be added if the user has permission to do so. To do this, set the `rds.allowed_delegated_extensions` parameter to a string of comma-separated extension names. By adding a list of extensions to this parameter, you explicitly identify the extensions that the user with the `rds_extension` role can install. + * When set to `*`, it means that all extensions listed in `rds_allowed_extensions` are delegated to users with `rds_extension` role. + +To learn more about setting up this parameter, see Turning on delegate extension support to a user.| rds_superuser +`rds.allowed_extensions`| This parameter lets the customer limit the extensions that can be installed in the Aurora PostgreSQL DB instance. For more information, see [Restricting installation of PostgreSQL extensions ](https://docs.aws.amazon.com//AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.Restriction)| "*"| By default, this parameter is set to "*", which means that all extensions supported on RDS for PostgreSQL and Aurora PostgreSQL are allowed to be created by users with necessary privileges. Empty means no extensions can be installed in the Aurora PostgreSQL DB instance.| administrator +`rds-delegated_extension_allow_drop_cascade`| This parameter controls the ability for user with `rds_extension` to drop the extension using a cascade option.| off | By default, `rds-delegated_extension_allow_drop_cascade` is set to `off`. This means that users with `rds_extension` are not allowed to drop an extension using the cascade option. To grant that ability, the `rds.delegated_extension_allow_drop_cascade` parameter should be set to `on`.| rds_superuser + +## Turning off the support for the delegated extension + +###### Turning off partially + +The delegated users can’t create new extensions but can still update existing extensions. + + * Reset `rds.allowed_delegated_extensions` to the default value in the DB cluster parameter group. + + * Use the following command at the database level: + + alter database database_name reset rds.allowed_delegated_extensions; + + * Use the following command at the user level: + + alter user user_name reset rds.allowed_delegated_extensions; + + + + +###### Turning off fully + +Revoking `rds_extension` role from a user will revert the user to standard permissions. The user can no longer create, update, or drop extensions. + + + postgres => revoke rds_extension from user_name; +