|
502 | 502 | <sect1 id="logical-replication-security">
|
503 | 503 | <title>Security</title>
|
504 | 504 |
|
| 505 | + <para> |
| 506 | + A user able to modify the schema of subscriber-side tables can execute |
| 507 | + arbitrary code as a superuser. Limit ownership |
| 508 | + and <literal>TRIGGER</literal> privilege on such tables to roles that |
| 509 | + superusers trust. Moreover, if untrusted users can create tables, use only |
| 510 | + publications that list tables explicitly. That is to say, create a |
| 511 | + subscription <literal>FOR ALL TABLES</literal> only when superusers trust |
| 512 | + every user permitted to create a non-temp table on the publisher or the |
| 513 | + subscriber. |
| 514 | + </para> |
| 515 | + |
505 | 516 | <para>
|
506 | 517 | The role used for the replication connection must have
|
507 |
| - the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be |
508 |
| - configured in <filename>pg_hba.conf</filename> and it must have the |
509 |
| - <literal>LOGIN</literal> attribute. |
| 518 | + the <literal>REPLICATION</literal> attribute (or be a superuser). If the |
| 519 | + role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>, |
| 520 | + publisher row security policies can execute. If the role does not trust |
| 521 | + all table owners, include <literal>options=-crow_security=off</literal> in |
| 522 | + the connection string; if a table owner then adds a row security policy, |
| 523 | + that setting will cause replication to halt rather than execute the policy. |
| 524 | + Access for the role must be configured in <filename>pg_hba.conf</filename> |
| 525 | + and it must have the <literal>LOGIN</literal> attribute. |
510 | 526 | </para>
|
511 | 527 |
|
512 | 528 | <para>
|
|