|
513 | 513 | <sect1 id="logical-replication-security"> |
514 | 514 | <title>Security</title> |
515 | 515 |
|
| 516 | + <para> |
| 517 | + A user able to modify the schema of subscriber-side tables can execute |
| 518 | + arbitrary code as a superuser. Limit ownership |
| 519 | + and <literal>TRIGGER</literal> privilege on such tables to roles that |
| 520 | + superusers trust. Moreover, if untrusted users can create tables, use only |
| 521 | + publications that list tables explicitly. That is to say, create a |
| 522 | + subscription <literal>FOR ALL TABLES</literal> only when superusers trust |
| 523 | + every user permitted to create a non-temp table on the publisher or the |
| 524 | + subscriber. |
| 525 | + </para> |
| 526 | + |
516 | 527 | <para> |
517 | 528 | The role used for the replication connection must have |
518 | | - the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be |
519 | | - configured in <filename>pg_hba.conf</filename> and it must have the |
520 | | - <literal>LOGIN</literal> attribute. |
| 529 | + the <literal>REPLICATION</literal> attribute (or be a superuser). If the |
| 530 | + role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>, |
| 531 | + publisher row security policies can execute. If the role does not trust |
| 532 | + all table owners, include <literal>options=-crow_security=off</literal> in |
| 533 | + the connection string; if a table owner then adds a row security policy, |
| 534 | + that setting will cause replication to halt rather than execute the policy. |
| 535 | + Access for the role must be configured in <filename>pg_hba.conf</filename> |
| 536 | + and it must have the <literal>LOGIN</literal> attribute. |
521 | 537 | </para> |
522 | 538 |
|
523 | 539 | <para> |
|