From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, chris+postgresql(at)qwirx(dot)com, pgsql-docs(at)lists(dot)postgresql(dot)org, pgsql-hackers(at)lists(dot)postgresql(dot)org, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Subject: | Re: Logical replication subscription owner |
Date: | 2020-05-08 01:47:34 |
Message-ID: | 20200508014734.GA3552@alvherre.pgsql |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs pgsql-hackers |
I'd welcome input from other people on this issue; only now I noticed
that it's buried in pgsql-docs, so CCing pgsql-hackers now.
On 2020-Apr-23, Stephen Frost wrote:
> Greetings,
>
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:
> > > I had it in my mind that LOGIN was for regular (SQL-based) login, and
> > > REPLICATION was for replication login, and that they were orthogonal.
> >
> > Yeah, that's what I would've expected. Otherwise, is REPLICATION
> > without LOGIN useful at all?
>
> No, but it's less surprising, at least to me, for all roles that login
> to require having the LOGIN right. Having REPLICATION ignore that would
> be surprising (and a change from today). Maybe if we called it
> REPLICATIONLOGIN or something along those lines it would be less
> surprising, but it still seems pretty awkward.
>
> I view REPLICATION as allowing a specific kind of connection, but you
> first need to be able to login.
>
> Also- what about per-database connections? Does having REPLICATION mean
> you get to override the CONNECT privileges on a database, if you're
> connecting for the purposes of doing logical replication?
>
> I agree we could do better in these areas, but I'd argue that's mostly
> around improving the documentation rather than baking in implications
> that one privilege implies another. We certainly get people who
> complain about getting a permission denied error when they have UPDATE
> rights on a table (but not SELECT) and they include a WHERE clause in
> their update statement, but that doesn't mean we should assume that
> having UPDATE rights means you also get SELECT rights, just because
> UPDATE is next to useless without SELECT.
>
> Thanks,
>
> Stephen
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2020-05-08 03:30:23 | Re: Logical replication subscription owner |
Previous Message | Tom Lane | 2020-05-06 22:56:40 | Re: Another modest proposal for docs formatting: catalog descriptions |
From | Date | Subject | |
---|---|---|---|
Next Message | Andy Fan | 2020-05-08 01:57:24 | Re: [PATCH] Keeps tracking the uniqueness with UniqueKey |
Previous Message | Fujii Masao | 2020-05-08 01:42:18 | Re: Why are wait events not reported even though it reads/writes a timeline history file? |