| From: | Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | non-superusers are allowed to drop the replication user, but are not allowed to alter or even create them, is that ok? |
| Date: | 2021-09-30 10:07:02 |
| Message-ID: | CAE9k0PmWZQTPMUxF3-mPcPjKaU+QZ-ydTZ+PRhdbaB2gNjJPhQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi All,
While working on one of the internal projects I noticed that currently in
Postgres, we do not allow normal users to alter attributes of the
replication user. However we do allow normal users to drop replication
users or to even rename it using the alter command. Is that behaviour ok?
If yes, can someone please help me understand how and why this is okay.
Here is an example illustrating this behaviour:
supusr(at)postgres=# create user repusr with password 'repusr' replication;
CREATE ROLE
supusr(at)postgres=# create user nonsu with password 'nonsu' createrole
createdb;
CREATE ROLE
supusr(at)postgres=# \c postgres nonsu;
You are now connected to database "postgres" as user "nonsu".
nonsu(at)postgres=> alter user repusr nocreatedb;
ERROR: 42501: must be superuser to alter replication roles or change
replication attribute
nonsu(at)postgres=> alter user repusr rename to refusr;
ALTER ROLE
nonsu(at)postgres=> drop user refusr;
DROP ROLE
nonsu(at)postgres=> create user repusr2 with password 'repusr2' replication;
ERROR: 42501: must be superuser to create replication users
--
With Regards,
Ashutosh Sharma.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2021-09-30 10:07:47 | Re: pgsql: Document XLOG_INCLUDE_XID a little better |
| Previous Message | Jelte Fennema | 2021-09-30 10:00:43 | Add ETIMEDOUT to ALL_CONNECTION_FAILURE_ERRNOS |