Re: Logical replication subscription owner

At Fri, 8 May 2020 01:02:11 -0400, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> wrote in
> On 2020-May-07, Tom Lane wrote:
>
> > FWIW, I would argue that LOGIN permits logging in on a regular SQL
> > connection, while REPLICATION should permit logging in on a
> > replication connection, and there's no reason for either to depend on
> > or require the other.
>
> I agree with this.

I agree, too. Anyway, it is unreasonable that a user is banned for
the lack of replication-attribute after a successful *replication*
login.

LOG: replication connection authorized: user=user1 application_name=psql
FATAL: must be superuser or replication role to start walsender

> > >> Also- what about per-database connections? Does having REPLICATION mean
> > >> you get to override the CONNECT privileges on a database, if you're
> > >> connecting for the purposes of doing logical replication?
> >
> > No, why would it? Should LOGIN privilege mean you can override
> > CONNECT? That's nonsense. You need the respective privilege
> > to connect with the protocol you want to connect with, and you
> > also need CONNECT on the DB you want to connect to.
>
> And this.

A user can start physical replication without needing CONNECT on any
database if it has REPLICATION attribute. That means any user that
is allowed logical replication on a specific database (or even no
databases) can replicate the whole cluster using physical replication.
I don't think it is a proper behavior from the security perspective.

It seems to me that we need to restrict physical replication to
require CONNECT privilege on all databases, or separate physical
replication privilege from logical replication privilege.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center