On 2020-Apr-22, Stephen Frost wrote:
> * Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
> > I wonder if a better answer is to allow the connection when the
> > REPLICATION priv is granted, ignoring the LOGIN prov.
>
> Erm, no, I wouldn't have thought that'd make sense- maybe someone
> specifically wants to stop allowing that role to login and they remove
> LOGIN? That REPLICATION would override that would surely be surprising
> and counter-intuitive..
Well, I guess if somebody wants to stop replication, they can remove
the REPLICATION priv.
I had it in my mind that LOGIN was for regular (SQL-based) login, and
REPLICATION was for replication login, and that they were orthogonal.
You're saying that there's no way a role can have REPLICATION privs but
no LOGIN. Is that sensible?
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services