Give superusers REPLIACTION permission by default

This can be overriden by using NOREPLICATION on the CREATE ROLE statement, but by default they will have it, making it backwards compatible and "less surprising" (given that superusers normally override all checks).
2025-12-21 05:21:08 +03:00 · 2011-01-05 14:24:17 +01:00
parent 3302334b48
commit 66a8a0428d
6 changed files with 22 additions and 10 deletions
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -175,7 +175,11 @@ CREATE USER <replaceable>name</replaceable>;
        to do most of your work as a role that is not a superuser.
        To create a new database superuser, use <literal>CREATE ROLE
        <replaceable>name</replaceable> SUPERUSER</literal>.  You must do
-        this as a role that is already a superuser.
+        this as a role that is already a superuser. Creating a superuser
+        will by default also grant permissions to initiate streaming
+        replication. For increased security this can be disallowed using
+        <literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER
+        NOREPLICATION</literal>.
       </para>
      </listitem>
     </varlistentry>
@@ -214,9 +218,8 @@ CREATE USER <replaceable>name</replaceable>;
      <listitem>
       <para>
        A role must explicitly be given permission to initiate streaming
-        replication (superusers do not bypass this check). A role used
-        for streaming replication must always have <literal>LOGIN</>
-        permission as well. To create such a role, use
+        replication. A role used for streaming replication must always
+        have <literal>LOGIN</> permission as well. To create such a role, use
        <literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION
        LOGIN</literal>.
       </para>