Commitfests
2018-07Committed
[WIP] Document update for Logical Replication security
Committer
  • Peter Eisentraut (petere)
Participants
Shinoda, Noriyoshi
Shinoda, Noriyoshi
Peter Eisentraut
Peter Eisentraut
Attachments
Thread Outline
#1Shinoda, NoriyoshiShinoda, Noriyoshi
Mar 03, 2018
#2Peter EisentrautPeter Eisentrautto Shinoda, Noriyoshi (#1)
Apr 11, 2018

[WIP] Document update for Logical Replication security

Started by Shinoda, Noriyoshialmost 8 years ago2 messages
#1Shinoda, Noriyoshi
Shinoda, Noriyoshi
noriyoshi.shinoda@hpe.com
1 attachment(s)

Hi, Hackers,

The attached patch adds the following information to the document on Logical Replication.
About the requirement of connection role of Logical Replication, written in 31.7 of the manual is as follows.
--
The role used for the replication connection must have the REPLICATION attribute.
--
However, the Logical Replication connection role also requires the LOGIN attribute.
And, for initial snapshots of Logical Replication, the connection role requires SELECT privilege on the replication target table, but it is not described in the manual.

Regards,

Noriyoshi Shinoda

Attachments:

logical_replication_doc.patchapplication/octet-stream; name=logical_replication_doc.patchDownload
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index 75551d8..7c1ee7c 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -485,8 +485,9 @@
 
   <para>
    The role used for the replication connection must have
-   the <literal>REPLICATION</literal> attribute (or be a superuser).  Access for the role must be
+   the <literal>REPLICATION</literal> attribute and the <literal>LOGIN</literal> attribute (or be a superuser).  Access for the role must be
    configured in <filename>pg_hba.conf</filename>.
+In order to copy the initial snapshot, the role must be granted <literal>SELECT</literal> privilege on the replication target table.
   </para>
 
   <para>
#2Peter Eisentraut
Peter Eisentraut
peter.eisentraut@2ndquadrant.com
In reply to: Shinoda, Noriyoshi (#1)
Re: [WIP] Document update for Logical Replication security

On 3/3/18 07:35, Shinoda, Noriyoshi wrote:

Hi, Hackers,

The attached patch adds the following information to the document on Logical Replication.
About the requirement of connection role of Logical Replication, written in 31.7 of the manual is as follows.
--
The role used for the replication connection must have the REPLICATION attribute.
--
However, the Logical Replication connection role also requires the LOGIN attribute.
And, for initial snapshots of Logical Replication, the connection role requires SELECT privilege on the replication target table, but it is not described in the manual.

Committed, thanks.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

← Back to Topics