NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit66a8a04

committed

Give superusers REPLIACTION permission by default

This can be overriden by using NOREPLICATION on the CREATE ROLEstatement, but by default they will have it, making it backwardscompatible and "less surprising" (given that superusers normallyoverride all checks).

1 parent3302334 commit66a8a04Copy full SHA for 66a8a04

File tree

6 files changed

+22

-10

lines changed

doc/src/sgml
src
- backend/commands
  - user.c
- include/catalog
  - catversion.h
  - pg_authid.h

6 files changed

+22

-10

lines changed

`‎doc/src/sgml/high-availability.sgml`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -805,9 +805,9 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'`
`805`	`805`	`<note>`
`806`	`806`	`<para>`
`807`	`807`	`It is recommended that a dedicated user account is used for replication.`
`808`		`- Whileit is possible to addthe <literal>REPLICATION</> privilegeto`
`809`		`-a superuser account for the purporses of replication, this is not`
`810`		`-recommended. While <literal>REPLICATION</> privilege gives very high`
	`808`	`+ While the <literal>REPLICATION</> privilegeis granted to superuser`
	`809`	`+accounts by default, it is not recommended to use superuser accounts`
	`810`	`+for replication. While <literal>REPLICATION</> privilege gives very high`
`811`	`811`	`permissions, it does not allow the user to modify any data on the`
`812`	`812`	`primary system, which the <literal>SUPERUSER</> privilege does.`
`813`	`813`	`</para>`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,8 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`185`	`185`	`A role having the <literal>REPLICATION</> attribute is a very`
`186`	`186`	`highly privileged role, and should only be used on roles actually`
`187`	`187`	`used for replication. If not specified,`
`188`		`- <literal>NOREPLICATION</literal> is the default.`
	`188`	`+ <literal>NOREPLICATION</literal> is the default for all roles except`
	`189`	`+ superusers.`
`189`	`190`	`</para>`
`190`	`191`	`</listitem>`
`191`	`192`	`</varlistentry>`

`‎doc/src/sgml/user-manag.sgml`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,11 @@ CREATE USER <replaceable>name</replaceable>;`
`175`	`175`	`to do most of your work as a role that is not a superuser.`
`176`	`176`	`To create a new database superuser, use <literal>CREATE ROLE`
`177`	`177`	`<replaceable>name</replaceable> SUPERUSER</literal>. You must do`
`178`		`- this as a role that is already a superuser.`
	`178`	`+ this as a role that is already a superuser. Creating a superuser`
	`179`	`+ will by default also grant permissions to initiate streaming`
	`180`	`+ replication. For increased security this can be disallowed using`
	`181`	`+ <literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER`
	`182`	`+ NOREPLICATION</literal>.`
`179`	`183`	`</para>`
`180`	`184`	`</listitem>`
`181`	`185`	`</varlistentry>`
`@@ -214,9 +218,8 @@ CREATE USER <replaceable>name</replaceable>;`
`214`	`218`	`<listitem>`
`215`	`219`	`<para>`
`216`	`220`	`A role must explicitly be given permission to initiate streaming`
`217`		`- replication (superusers do not bypass this check). A role used`
`218`		`- for streaming replication must always have <literal>LOGIN</>`
`219`		`- permission as well. To create such a role, use`
	`221`	`+ replication. A role used for streaming replication must always`
	`222`	`+ have <literal>LOGIN</> permission as well. To create such a role, use`
`220`	`223`	`<literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION`
`221`	`224`	`LOGIN</literal>.`
`222`	`225`	`</para>`

`‎src/backend/commands/user.c`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,15 @@ CreateRole(CreateRoleStmt *stmt)`
`248`	`248`	`if (dpassword&&dpassword->arg)`
`249`	`249`	`password=strVal(dpassword->arg);`
`250`	`250`	`if (dissuper)`
	`251`	`+{`
`251`	`252`	`issuper=intVal(dissuper->arg)!=0;`
	`253`	`+/*`
	`254`	`+ * Superusers get replication by default, but only if`
	`255`	`+ * NOREPLICATION wasn't explicitly mentioned`
	`256`	`+ */`
	`257`	`+if (!(disreplication&&intVal(disreplication->arg)==0))`
	`258`	`+isreplication=1;`
	`259`	`+}`
`252`	`260`	`if (dinherit)`
`253`	`261`	`inherit=intVal(dinherit->arg)!=0;`
`254`	`262`	`if (dcreaterole)`

`‎src/include/catalog/catversion.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`*/`
`54`	`54`
`55`	`55`	`/yyyymmddN /`
`56`		`-#defineCATALOG_VERSION_NO201101031`
	`56`	`+#defineCATALOG_VERSION_NO201101051`
`57`	`57`
`58`	`58`	`#endif`

`‎src/include/catalog/pg_authid.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ typedef FormData_pg_authid *Form_pg_authid;`
`93`	`93`	`* user choices.`
`94`	`94`	`* ----------------`
`95`	`95`	`*/`
`96`		`-DATA(insertOID=10 ("POSTGRES"ttttttf-1_null__null_ ));`
	`96`	`+DATA(insertOID=10 ("POSTGRES"ttttttt-1_null__null_ ));`
`97`	`97`
`98`	`98`	`#defineBOOTSTRAP_SUPERUSERID 10`
`99`	`99`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit66a8a04

File tree

6 files changed

6 files changed

`‎doc/src/sgml/high-availability.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

`‎doc/src/sgml/user-manag.sgml`

`‎src/backend/commands/user.c`

`‎src/include/catalog/catversion.h`

`‎src/include/catalog/pg_authid.h`

0 commit comments