From 9910860770045cf8ee365cfeaaa90561f5b1e43f Mon Sep 17 00:00:00 2001
From: Fujii Masao <fujii@postgresql.org>
Date: Wed, 24 Jun 2026 08:14:36 +0900
Subject: [PATCH v1] Add hints for sequence sync permission warnings

---
 doc/src/sgml/logical-replication.sgml          | 12 ++++++++----
 src/backend/replication/logical/sequencesync.c |  7 +++++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index 9e7868487de..f0c25a75460 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -2542,9 +2542,10 @@ CONTEXT:  processing remote data for replication origin "pg_16395" during "INSER
   </para>
 
   <para>
-   In order to be able to copy the initial table or sequence data, the role
-   used for the replication connection must have the <literal>SELECT</literal>
-   privilege on a published table or sequence (or be a superuser).
+   In order to be able to copy the initial table data or synchronize
+   sequences, the role used for the replication connection must have the
+   <literal>SELECT</literal> privilege on a published table or sequence (or be
+   a superuser).
   </para>
 
   <para>
@@ -2602,7 +2603,10 @@ CONTEXT:  processing remote data for replication origin "pg_16395" during "INSER
    needs privileges to <literal>SELECT</literal>, <literal>INSERT</literal>,
    <literal>UPDATE</literal>, and <literal>DELETE</literal> from the
    target table, and does not need privileges to <literal>SET ROLE</literal>
-   to the table owner. However, this also means that any user who owns
+   to the table owner. When synchronizing sequences, the subscription owner
+   similarly needs <literal>UPDATE</literal> privilege on the target sequence
+   and does not need privileges to <literal>SET ROLE</literal> to the sequence
+   owner. However, this also means that any user who owns
    a table into which replication is happening can execute arbitrary code with
    the privileges of the subscription owner. For example, they could do this
    by simply attaching a trigger to one of the tables which they own.
diff --git a/src/backend/replication/logical/sequencesync.c b/src/backend/replication/logical/sequencesync.c
index f47f962c7db..7910d610c60 100644
--- a/src/backend/replication/logical/sequencesync.c
+++ b/src/backend/replication/logical/sequencesync.c
@@ -206,7 +206,9 @@ report_sequence_errors(List *mismatched_seqs_idx,
 				errmsg_plural("insufficient privileges on subscriber sequence (%s)",
 							  "insufficient privileges on subscriber sequences (%s)",
 							  list_length(sub_insuffperm_seqs_idx),
-							  seqstr.data));
+							  seqstr.data),
+				MySubscription->runasowner ?
+				errhint("Grant UPDATE on the sequence to the subscription owner on the subscriber.") : 0);
 	}
 
 	if (pub_insuffperm_seqs_idx)
@@ -217,7 +219,8 @@ report_sequence_errors(List *mismatched_seqs_idx,
 				errmsg_plural("insufficient privileges on publisher sequence (%s)",
 							  "insufficient privileges on publisher sequences (%s)",
 							  list_length(pub_insuffperm_seqs_idx),
-							  seqstr.data));
+							  seqstr.data),
+				errhint("Grant SELECT on the sequence to the role used for the replication connection on the publisher."));
 	}
 
 	if (missing_seqs_idx)
-- 
2.53.0