On 2015-09-02 19:48:15 -0400, Tom Lane wrote:
> Just on general principles, this seems like a pretty horrid idea.
> To me replication privilege means the ability to transfer data out of
> the master, not to cause arbitrary state changes on the master.
It's not about the permission to trigger pg_rewind on the master - it's
about being able to run pg_rewind (as the necessary OS user) on the
*standby* when the connection to the primary has only replication rather
than superuser privs.
> Another problem with it is that access to the filesystem is about halfway
> to being superuser anyway, even if it's only read-only access. It would
> certainly let you read things that one would not expect a replication
> user to be able to read (like files unrelated to Postgres).
Doesn't pg_read_file et al insist that the path is below the data
directorY?
> I don't entirely understand why pg_rewind should be invoking any of these
> functions to begin with. Isn't it working directly with the disk data,
> with both postmasters shut down?
There's two modes: If both data directories are on the same server both
need to be shut down. If, as it's pretty commonly the case, the "source"
db is on another system the source system must be started (as a
primary). In the second mode all the files that have changed are copied
over a libpq connection.
Andres
