security on user for replication

Started by Marcos Pegoraroover 6 years ago3 messagesgeneral

marcos@f10.com.br

over 6 years ago

We use replication with publication/subsctription. It´s ok, works fine.
But if I go to my replica server and do select * from pg_subscription
on field subconninfo I have all properties to connect. host, port, user,
password and dbname, all these info are available.
Documentation says user for replication is equivalent to a superuser and
must have the login attribute. If this user has all this power and using
that select on replica all that info is available ...
How can I hide that info from users which are connected to my replica server
or
If it´s possible to have a replication user with not superuser rights or
with NoLogin

--
Sent from: https://www.postgresql-archive.org/PostgreSQL-general-f1843780.html

Andreas Kretschmer

andreas@a-kretschmer.de

over 6 years ago

In reply to: Marcos Pegoraro (#1)

Re: security on user for replication

Am 11.11.19 um 14:26 schrieb PegoraroF10:

How can I hide that info from users which are connected to my replica
server

you can use a .pgpass - file, see the documentation.

Regards, Andreas

--
2ndQuadrant - The PostgreSQL Support Company.
www.2ndQuadrant.com

Christoph Moench-Tegeder

cmt@burggraben.net

over 6 years ago

In reply to: Marcos Pegoraro (#1)

Re: security on user for replication

## PegoraroF10 (marcos@f10.com.br):

How can I hide that info from users which are connected to my replica server

https://www.postgresql.org/docs/current/catalog-pg-subscription.html
Access to the column subconninfo is revoked from normal users, because
it could contain plain-text passwords.

Else: SSL certificates, pgpass file, or rig up some kerberos (that's
not that elegant in this case).

Regards,
Christoph

--
Spare Space.