Additional info for CREATE ROLE with REPLICATION
When a logical replication is created and a ROLE with REPLICATION clause is
used for that, there is no info on [0]https://www.postgresql.org/docs/current/sql-createrole.html that that role needs to have read
permission on those tables. CREATE PUBLICATION and CREATE SUBSCRIPTION
commands works as expected but replication doesn't work, only a "access
denied" is added on logs.
So it would be good to explain that a GRANT is needed.
[0]: https://www.postgresql.org/docs/current/sql-createrole.html
regards
Marcos
Attachments:
0001-Master - Additional info for create role with REPLICATION.diffapplication/octet-stream; name="0001-Master - Additional info for create role with REPLICATION.diff"Download
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index cee23b1ea6b..6f453ea4e32 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -197,7 +197,8 @@ in sync when changing the above synopsis!
used for replication. If not specified,
<literal>NOREPLICATION</literal> is the default.
Only superuser roles or roles with <literal>REPLICATION</literal>
- can specify <literal>REPLICATION</literal>.
+ can specify <literal>REPLICATION</literal>. Additionally, this role
+ needs to have read permissions on the objects belonging to the replication.
</para>
</listitem>
</varlistentry>
On Nov 26, 2025, at 05:45, Marcos Pegoraro <marcos@f10.com.br> wrote:
When a logical replication is created and a ROLE with REPLICATION clause is used for that, there is no info on [0] that that role needs to have read permission on those tables. CREATE PUBLICATION and CREATE SUBSCRIPTION commands works as expected but replication doesn't work, only a "access denied" is added on logs.
So it would be good to explain that a GRANT is needed.
[0] - https://www.postgresql.org/docs/current/sql-createrole.html
regards
Marcos<0001-Master - Additional info for create role with REPLICATION.diff>
Hi Marcos,
The statement you added is correct, however I don’t think it is the right place to add the statement, “create role” just describes how to assign the replication attribute.
On I found that in logical-replication.html, there is an explanation already:
```
<para>
In order to be able to copy the initial table or sequence data, the role
used for the replication connection must have the <literal>SELECT</literal>
privilege on a published table or sequence (or be a superuser).
</para>
```
Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/
Em ter., 25 de nov. de 2025 às 23:22, Chao Li <li.evan.chao@gmail.com>
escreveu:
<0001-Master - Additional info for create role with REPLICATION.diff>
ok, I understand that, but the REPLICATION paragraph says "A role having
the REPLICATION attribute is a very highly privileged role". So the user
thinks, well, if this role is a highly privileged role, he should have
SELECT permission automatically, right ? And it does not, so a warning like
this would be fine, I think.
regards
Marcos
On Wednesday, November 26, 2025, Marcos Pegoraro <marcos@f10.com.br> wrote:
Em ter., 25 de nov. de 2025 às 23:22, Chao Li <li.evan.chao@gmail.com>
escreveu:<0001-Master - Additional info for create role with REPLICATION.diff>
ok, I understand that, but the REPLICATION paragraph says "A role having
the REPLICATION attribute is a very highly privileged role". So the user
thinks, well, if this role is a highly privileged role, he should have
SELECT permission automatically, right ? And it does not, so a warning like
this would be fine, I think.
Maybe the wording “highly privileged” should be reconsidered then to not
imply never needing to apply grants.
It also occurs to me, that section probably would be better off with some
cross-references to the sections that talk about replication in detail
instead of putting the detail here.
So, maybe replace “highly privileged” with “additional grants might be
necessary depending on whether you are doing (link) physical or (link)
logical replication”.
David J.