|
495 | 495 | <sect1 id="logical-replication-security"> |
496 | 496 | <title>Security</title> |
497 | 497 |
|
| 498 | + <para> |
| 499 | + A user able to modify the schema of subscriber-side tables can execute |
| 500 | + arbitrary code as a superuser. Limit ownership |
| 501 | + and <literal>TRIGGER</literal> privilege on such tables to roles that |
| 502 | + superusers trust. Moreover, if untrusted users can create tables, use only |
| 503 | + publications that list tables explicitly. That is to say, create a |
| 504 | + subscription <literal>FOR ALL TABLES</literal> only when superusers trust |
| 505 | + every user permitted to create a non-temp table on the publisher or the |
| 506 | + subscriber. |
| 507 | + </para> |
| 508 | + |
498 | 509 | <para> |
499 | 510 | The role used for the replication connection must have |
500 | | - the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be |
501 | | - configured in <filename>pg_hba.conf</filename> and it must have the |
502 | | - <literal>LOGIN</literal> attribute. |
| 511 | + the <literal>REPLICATION</literal> attribute (or be a superuser). If the |
| 512 | + role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>, |
| 513 | + publisher row security policies can execute. If the role does not trust |
| 514 | + all table owners, include <literal>options=-crow_security=off</literal> in |
| 515 | + the connection string; if a table owner then adds a row security policy, |
| 516 | + that setting will cause replication to halt rather than execute the policy. |
| 517 | + Access for the role must be configured in <filename>pg_hba.conf</filename> |
| 518 | + and it must have the <literal>LOGIN</literal> attribute. |
503 | 519 | </para> |
504 | 520 |
|
505 | 521 | <para> |
|