Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit c5114e4

Browse files
committed
Doc: Outline REPLICATION before SUPERUSER privilege
The following docs are updated: - High-availaility section - pg_basebackup - pg_receivewal Per the principle of least privilege, we want to encourage users to interact with those areas using roles that have replication rights, but superusers were mentioned first. Author: Daniel Gustafsson Reviewed-by: Fujii Masao, Michael Paquier Discussion: https://postgr.es/m/ECEBD212-7101-41EB-84F3-2F356E4B6401@yesql.se
1 parent 849ac35 commit c5114e4

File tree

3 files changed

+17
-14
lines changed

3 files changed

+17
-14
lines changed

doc/src/sgml/high-availability.sgml

+8-6
Original file line numberDiff line numberDiff line change
@@ -827,12 +827,14 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
827827
It is very important that the access privileges for replication be set up
828828
so that only trusted users can read the WAL stream, because it is
829829
easy to extract privileged information from it. Standby servers must
830-
authenticate to the primary as a superuser or an account that has the
831-
<literal>REPLICATION</literal> privilege. It is recommended to create a
832-
dedicated user account with <literal>REPLICATION</literal> and <literal>LOGIN</literal>
833-
privileges for replication. While <literal>REPLICATION</literal> privilege gives
834-
very high permissions, it does not allow the user to modify any data on
835-
the primary system, which the <literal>SUPERUSER</literal> privilege does.
830+
authenticate to the primary as an account that has the
831+
<literal>REPLICATION</literal> privilege or a superuser. It is
832+
recommended to create a dedicated user account with
833+
<literal>REPLICATION</literal> and <literal>LOGIN</literal>
834+
privileges for replication. While <literal>REPLICATION</literal>
835+
privilege gives very high permissions, it does not allow the user to
836+
modify any data on the primary system, which the
837+
<literal>SUPERUSER</literal> privilege does.
836838
</para>
837839

838840
<para>

doc/src/sgml/ref/pg_basebackup.sgml

+2-2
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ PostgreSQL documentation
5151
<para>
5252
The backup is made over a regular <productname>PostgreSQL</productname>
5353
connection, and uses the replication protocol. The connection must be made
54-
with a superuser or a user having <literal>REPLICATION</literal>
55-
permissions (see <xref linkend="role-attributes"/>),
54+
with a user having <literal>REPLICATION</literal> permissions
55+
(see <xref linkend="role-attributes"/>) or a superuser,
5656
and <filename>pg_hba.conf</filename> must explicitly permit the replication
5757
connection. The server must also be configured
5858
with <xref linkend="guc-max-wal-senders"/> set high enough to leave at least

doc/src/sgml/ref/pg_receivewal.sgml

+7-6
Original file line numberDiff line numberDiff line change
@@ -68,12 +68,13 @@ PostgreSQL documentation
6868
<para>
6969
The write-ahead log is streamed over a regular
7070
<productname>PostgreSQL</productname> connection and uses the replication
71-
protocol. The connection must be made with a superuser or a user
72-
having <literal>REPLICATION</literal> permissions (see
73-
<xref linkend="role-attributes"/>), and <filename>pg_hba.conf</filename>
74-
must permit the replication connection. The server must also be
75-
configured with <xref linkend="guc-max-wal-senders"/> set high enough to
76-
leave at least one session available for the stream.
71+
protocol. The connection must be made with a user having
72+
<literal>REPLICATION</literal> permissions (see
73+
<xref linkend="role-attributes"/>) or a superuser, and
74+
<filename>pg_hba.conf</filename> must permit the replication connection.
75+
The server must also be configured with
76+
<xref linkend="guc-max-wal-senders"/> set high enough to leave at least
77+
one session available for the stream.
7778
</para>
7879

7980
<para>

0 commit comments

Comments
 (0)