Add REPLICATION privilege for ROLEs

This privilege is required to do Streaming Replication, instead of superuser, making it possible to set up a SR slave that doesn't have write permissions on the master. Superuser privileges do NOT override this check, so in order to use the default superuser account for replication it must be explicitly granted the REPLICATION permissions. This is backwards incompatible change, in the interest of higher default security.
2025-06-11 20:28:21 +03:00 · 2010-12-29 11:05:03 +01:00
parent f2ba1e994c
commit 9b8aff8c19
19 changed files with 189 additions and 32 deletions
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@ -1235,6 +1235,17 @@
      </entry>
     </row>

+     <row>
+      <entry><structfield>rolreplication</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry>
+       Role is a replication role. That is, this role can initiate streaming
+       replication (see <xref linkend="streaming-replication">) and set/unset
+       the system backup mode using <function>pg_start_backup</> and
+       <function>pg_stop_backup</>.
+      </entry>
+     </row>
+
     <row>
      <entry><structfield>rolconnlimit</structfield></entry>
      <entry><type>int4</type></entry>
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@ -13969,14 +13969,14 @@ SELECT set_config('log_statement_stats', 'off', false);
        <literal><function>pg_start_backup(<parameter>label</> <type>text</> <optional>, <parameter>fast</> <type>boolean</> </optional>)</function></literal>
        </entry>
       <entry><type>text</type></entry>
-       <entry>Prepare for performing on-line backup (restricted to superusers)</entry>
+       <entry>Prepare for performing on-line backup (restricted to superusers or replication roles)</entry>
      </row>
      <row>
       <entry>
        <literal><function>pg_stop_backup()</function></literal>
        </entry>
       <entry><type>text</type></entry>
-       <entry>Finish performing on-line backup (restricted to superusers)</entry>
+       <entry>Finish performing on-line backup (restricted to superusers or replication roles)</entry>
      </row>
      <row>
       <entry>
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@ -636,8 +636,8 @@ protocol to make nodes agree on a serializable transactional order.
   <para>
    If you want to use streaming replication, set up authentication on the
    primary server to allow replication connections from the standby
-    server(s); that is, provide a suitable entry or entries in
-    <filename>pg_hba.conf</> with the database field set to
+    server(s); that is, create a role and provide a suitable entry or
+    entries in <filename>pg_hba.conf</> with the database field set to
    <literal>replication</>.  Also ensure <varname>max_wal_senders</> is set
    to a sufficiently large value in the configuration file of the primary
    server.
@ -796,15 +796,28 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     It is very important that the access privileges for replication be set up
     so that only trusted users can read the WAL stream, because it is
     easy to extract privileged information from it.  Standby servers must
-     authenticate to the primary as a superuser account.
-     So a role with the <literal>SUPERUSER</> and <literal>LOGIN</>
-     privileges needs to be created on the primary.
+     authenticate to the primary as an account that has the
+     <literal>REPLICATION</> privilege. So a role with the
+     <literal>REPLICATION</> and <literal>LOGIN</> privileges needs to be
+     created on the primary.
    </para>
+
+    <note>
+     <para>
+      It is recommended that a dedicated user account is used for replication.
+      While it is possible to add  the <literal>REPLICATION</> privilege to
+      a superuser account for the purporses of replication, this is not
+      recommended. While <literal>REPLICATION</> privilege gives very high
+      permissions, it does not allow the user to modify any data on the
+      primary system, which the <literal>SUPERUSER</> privilege does.
+     </para>
+    </note>
+
    <para>
     Client authentication for replication is controlled by a
     <filename>pg_hba.conf</> record specifying <literal>replication</> in the
     <replaceable>database</> field. For example, if the standby is running on
-     host IP <literal>192.168.1.100</> and the superuser's name for replication
+     host IP <literal>192.168.1.100</> and the account name for replication
     is <literal>foo</>, the administrator can add the following line to the
     <filename>pg_hba.conf</> file on the primary:

@ -823,7 +836,7 @@ host    replication     foo             192.168.1.100/32        md5
     standby (specify <literal>replication</> in the <replaceable>database</>
     field).
     For example, if the primary is running on host IP <literal>192.168.1.50</>,
-     port <literal>5432</literal>, the superuser's name for replication is
+     port <literal>5432</literal>, the account name for replication is
     <literal>foo</>, and the password is <literal>foopass</>, the administrator
     can add the following line to the <filename>recovery.conf</> file on the
     standby:
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@ -31,6 +31,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replace
    | CREATEUSER | NOCREATEUSER
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
+    | REPLICATION | NOREPLICATION
    | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
@ -63,7 +64,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
   Attributes not mentioned in the command retain their previous settings.
   Database superusers can change any of these settings for any role.
   Roles having <literal>CREATEROLE</> privilege can change any of these
-   settings, but only for non-superuser roles.
+   settings, but only for non-superuser and non-replication roles.
   Ordinary roles can only change their own password.
  </para>

@ -127,6 +128,8 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
      <term><literal>NOINHERIT</literal></term>
      <term><literal>LOGIN</literal></term>
      <term><literal>NOLOGIN</literal></term>
+      <term><literal>REPLICATION</literal></term>
+      <term><literal>NOREPLICATION</literal></term>
      <term><literal>CONNECTION LIMIT</literal> <replaceable class="parameter">connlimit</replaceable></term>
      <term><literal>PASSWORD</> <replaceable class="parameter">password</replaceable></term>
      <term><literal>ENCRYPTED</></term>
--- a/doc/src/sgml/ref/alter_user.sgml
+++ b/doc/src/sgml/ref/alter_user.sgml
@ -31,6 +31,7 @@ ALTER USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replace
    | CREATEUSER | NOCREATEUSER
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
+    | REPLICATION | NOREPLICATION
    | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@ -31,6 +31,7 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
    | CREATEUSER | NOCREATEUSER
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
+    | REPLICATION | NOREPLICATION
    | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
@ -174,6 +175,21 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
      </listitem>
     </varlistentry>

+     <varlistentry>
+      <term><literal>REPLICATION</literal></term>
+      <term><literal>NOREPLICATION</literal></term>
+      <listitem>
+       <para>
+        These clauses determine whether a role is allowed to initiate
+        streaming replication or put the system in and out of backup mode.
+        A role having the <literal>REPLICATION</> attribute is a very
+        highly privileged role, and should only be used on roles actually
+	used for replication. If not specified,
+        <literal>NOREPLICATION</literal> is the default.
+       </para>
+      </listitem>
+     </varlistentry>
+
     <varlistentry>
      <term><literal>CONNECTION LIMIT</literal> <replaceable class="parameter">connlimit</replaceable></term>
      <listitem>
--- a/doc/src/sgml/ref/create_user.sgml
+++ b/doc/src/sgml/ref/create_user.sgml
@ -31,6 +31,7 @@ CREATE USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
    | CREATEUSER | NOCREATEUSER
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
+    | REPLICATION | NOREPLICATION
    | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'