Home > mailing lists

Re: Streaming replication as a separate permissions - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Streaming replication as a separate permissions
Date	December 27, 2010 14:34:11
Msg-id	14807.1293464033@sss.pgh.pa.us Whole thread Raw
In response to	Re: Streaming replication as a separate permissions (Magnus Hagander <magnus@hagander.net>)
Responses	Re: Streaming replication as a separate permissions (Magnus Hagander <magnus@hagander.net>)
List	pgsql-hackers

Tree view

Magnus Hagander <magnus@hagander.net> writes:
> On Mon, Dec 27, 2010 at 10:53, Magnus Hagander <magnus@hagander.net> wrote:
>> We could quite easily make a replication role *never* be able to
>> connect to a non-walsender backend. That would mean that if you set
>> your role to WITH REPLICATION, it can *only* be used for replication
>> and nothing else (well, you could still SET ROLE to it, but given that
>> it's not a superuser (anymore), that doesn't have any security
>> implications.

> Actually, having implemented that and tested it, I realize that's a
> pretty bad idea.

OK, so if we're not going to recommend that REPLICATION roles be
NOLOGIN, we're back to the original question: should the REPLICATION
bit give any other special privileges?  I can see the point of allowing
such a user to issue pg_start_backup and pg_stop_backup.
        regards, tom lane

pgsql-hackers by date:

From: Robert Haas
Date: 27 December 2010, 14:24:32
Subject: Re: Reduce lock levels for ADD and DROP COLUMN

From: Magnus Hagander
Date: 27 December 2010, 14:40:19
Subject: Re: Streaming replication as a separate permissions

Re: Streaming replication as a separate permissions - Mailing list pgsql-hackers

Previous

Next