open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make superuser imply replication privilege. The idea of a privilege that

Browse Source 
superuser doesn't have doesn't make much sense, as a superuser can do
whatever he wants through other means, anyway. So instead of granting
replication privilege to superusers in CREATE USER time by default, allow
replication connection from superusers whether or not they have the
replication privilege.

Patch by Noah Misch, per discussion on bug report #6264
pull/1/head
Heikki Linnakangas 14 years ago
parent ea038d65c2
commit 00c5f55061
8 changed files with 32 additions and 56 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 21
      doc/src/sgml/high-availability.sgml
  2. 5
      doc/src/sgml/recovery-config.sgml
  3. 3
      doc/src/sgml/ref/create_role.sgml
  4. 13
      doc/src/sgml/ref/pg_basebackup.sgml
  5. 14
      doc/src/sgml/ref/pg_receivexlog.sgml
  6. 18
      doc/src/sgml/user-manag.sgml
  7. 9
      src/backend/commands/user.c
  8. 5
      src/backend/utils/init/postinit.c

21
doc/src/sgml/high-availability.sgml
Unescape View File

@ -797,23 +797,14 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
It is very important that the access privileges for replication be set up It is very important that the access privileges for replication be set up
so that only trusted users can read the WAL stream, because it is so that only trusted users can read the WAL stream, because it is
easy to extract privileged information from it. Standby servers must easy to extract privileged information from it. Standby servers must
authenticate to the primary as an account that has the authenticate to the primary as a superuser or an account that has the
<literal>REPLICATION</> privilege. So a role with the <literal>REPLICATION</> privilege. It is recommended to create a
<literal>REPLICATION</> and <literal>LOGIN</> privileges needs to be dedicated user account with <literal>REPLICATION</> and <literal>LOGIN</>
created on the primary. privileges for replication. While <literal>REPLICATION</> privilege gives
very high permissions, it does not allow the user to modify any data on
the primary system, which the <literal>SUPERUSER</> privilege does.
</para> </para>
<note>
<para>
It is recommended that a dedicated user account is used for replication.
While the <literal>REPLICATION</> privilege is granted to superuser
accounts by default, it is not recommended to use superuser accounts
for replication. While <literal>REPLICATION</> privilege gives very high
permissions, it does not allow the user to modify any data on the
primary system, which the <literal>SUPERUSER</> privilege does.
</para>
</note>
<para> <para>
Client authentication for replication is controlled by a Client authentication for replication is controlled by a
<filename>pg_hba.conf</> record specifying <literal>replication</> in the <filename>pg_hba.conf</> record specifying <literal>replication</> in the

5
doc/src/sgml/recovery-config.sgml
Unescape View File

@ -325,9 +325,8 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"' # Windows
The connection string should specify the host name (or address) The connection string should specify the host name (or address)
of the primary server, as well as the port number if it is not of the primary server, as well as the port number if it is not
the same as the standby server's default. the same as the standby server's default.
Also specify a user name corresponding to a role that has the Also specify a user name corresponding to a suitably-privileged role
<literal>REPLICATION</> and <literal>LOGIN</> privileges on the on the primary (see
primary (see
<xref linkend="streaming-replication-authentication">). <xref linkend="streaming-replication-authentication">).
A password needs to be provided too, if the primary demands password A password needs to be provided too, if the primary demands password
authentication. It can be provided in the authentication. It can be provided in the

3
doc/src/sgml/ref/create_role.sgml
Unescape View File

@ -185,8 +185,7 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
A role having the <literal>REPLICATION</> attribute is a very A role having the <literal>REPLICATION</> attribute is a very
highly privileged role, and should only be used on roles actually highly privileged role, and should only be used on roles actually
used for replication. If not specified, used for replication. If not specified,
<literal>NOREPLICATION</literal> is the default for all roles except <literal>NOREPLICATION</literal> is the default.
superusers.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

13
doc/src/sgml/ref/pg_basebackup.sgml
Unescape View File

@ -50,12 +50,13 @@ PostgreSQL documentation
<para> <para>
The backup is made over a regular <productname>PostgreSQL</productname> The backup is made over a regular <productname>PostgreSQL</productname>
connection, and uses the replication protocol. The connection must be connection, and uses the replication protocol. The connection must be made
made with a user having <literal>REPLICATION</literal> permissions (see with a superuser or a user having <literal>REPLICATION</literal>
<xref linkend="role-attributes">), and the user must be granted explicit permissions (see <xref linkend="role-attributes">),
permissions in <filename>pg_hba.conf</filename>. The server must also and <filename>pg_hba.conf</filename> must explicitly permit the replication
be configured with <xref linkend="guc-max-wal-senders"> set high enough connection. The server must also be configured
to leave at least one session available for the backup. with <xref linkend="guc-max-wal-senders"> set high enough to leave at least
one session available for the backup.
</para> </para>
<para> <para>

14
doc/src/sgml/ref/pg_receivexlog.sgml
Unescape View File

@ -50,13 +50,13 @@ PostgreSQL documentation
<para> <para>
The transaction log is streamed over a regular The transaction log is streamed over a regular
<productname>PostgreSQL</productname> connection, and uses the <productname>PostgreSQL</productname> connection, and uses the replication
replication protocol. The connection must be protocol. The connection must be made with a superuser or a user
made with a user having <literal>REPLICATION</literal> permissions (see having <literal>REPLICATION</literal> permissions (see
<xref linkend="role-attributes">), and the user must be granted explicit <xref linkend="role-attributes">), and <filename>pg_hba.conf</filename>
permissions in <filename>pg_hba.conf</filename>. The server must also must explicitly permit the replication connection. The server must also be
be configured with <xref linkend="guc-max-wal-senders"> set high enough configured with <xref linkend="guc-max-wal-senders"> set high enough to
to leave at least one session available for the stream. leave at least one session available for the stream.
</para> </para>
</refsect1> </refsect1>

18
doc/src/sgml/user-manag.sgml
Unescape View File

@ -169,16 +169,11 @@ CREATE USER <replaceable>name</replaceable>;
<listitem> <listitem>
<para> <para>
A database superuser bypasses all permission checks, except the right A database superuser bypasses all permission checks, except the right
to log in or the right to initiate replication. This is a to log in. This is a dangerous privilege and should not be used
dangerous privilege and should not be used carelessly; it is best carelessly; it is best to do most of your work as a role that is not a
to do most of your work as a role that is not a superuser. superuser. To create a new database superuser, use <literal>CREATE
To create a new database superuser, use <literal>CREATE ROLE ROLE <replaceable>name</replaceable> SUPERUSER</literal>. You must do
<replaceable>name</replaceable> SUPERUSER</literal>. You must do this as a role that is already a superuser.
this as a role that is already a superuser. Creating a superuser
will by default also grant permissions to initiate streaming
replication. For increased security this can be disallowed using
<literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER
NOREPLICATION</literal>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -217,7 +212,8 @@ CREATE USER <replaceable>name</replaceable>;
<listitem> <listitem>
<para> <para>
A role must explicitly be given permission to initiate streaming A role must explicitly be given permission to initiate streaming
replication. A role used for streaming replication must always replication (except for superusers, since those bypass all permission
checks). A role used for streaming replication must always
have <literal>LOGIN</> permission as well. To create such a role, use have <literal>LOGIN</> permission as well. To create such a role, use
<literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION <literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION
LOGIN</literal>. LOGIN</literal>.

9
src/backend/commands/user.c
Unescape View File

@ -239,16 +239,7 @@ CreateRole(CreateRoleStmt *stmt)
if (dpassword && dpassword->arg) if (dpassword && dpassword->arg)
password = strVal(dpassword->arg); password = strVal(dpassword->arg);
if (dissuper) if (dissuper)
{
issuper = intVal(dissuper->arg) != 0; issuper = intVal(dissuper->arg) != 0;
/*
* Superusers get replication by default, but only if NOREPLICATION
* wasn't explicitly mentioned
*/
if (issuper && !(disreplication && intVal(disreplication->arg) == 0))
isreplication = 1;
}
if (dinherit) if (dinherit)
inherit = intVal(dinherit->arg) != 0; inherit = intVal(dinherit->arg) != 0;
if (dcreaterole) if (dcreaterole)

5
src/backend/utils/init/postinit.c
Unescape View File

@ -659,11 +659,10 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
{ {
Assert(!bootstrap); Assert(!bootstrap);
/* must have authenticated as a replication role */ if (!superuser() && !is_authenticated_user_replication_role())
if (!is_authenticated_user_replication_role())
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be replication role to start walsender"))); errmsg("must be superuser or replication role to start walsender")));
/* process any options passed in the startup packet */ /* process any options passed in the startup packet */
if (MyProcPort != NULL) if (MyProcPort != NULL)

Write Preview
Loading…
Cancel
Save