summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/logical-replication-security.html
blob: 40d70609aa9cbbd56846aceeb12a3e8e5157608d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>31.9. Security</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="logical-replication-monitoring.html" title="31.8. Monitoring" /><link rel="next" href="logical-replication-config.html" title="31.10. Configuration Settings" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">31.9. Security</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="logical-replication-monitoring.html" title="31.8. Monitoring">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="logical-replication.html" title="Chapter 31. Logical Replication">Up</a></td><th width="60%" align="center">Chapter 31. Logical Replication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="logical-replication-config.html" title="31.10. Configuration Settings">Next</a></td></tr></table><hr /></div><div class="sect1" id="LOGICAL-REPLICATION-SECURITY"><div class="titlepage"><div><div><h2 class="title" style="clear: both">31.9. Security</h2></div></div></div><p>
   A user able to modify the schema of subscriber-side tables can execute
   arbitrary code as the role which owns any subscription which modifies those tables.  Limit ownership
   and <code class="literal">TRIGGER</code> privilege on such tables to trusted roles.
   Moreover, if untrusted users can create tables, use only
   publications that list tables explicitly.  That is to say, create a
   subscription <code class="literal">FOR ALL TABLES</code> or
   <code class="literal">FOR TABLES IN SCHEMA</code> only when superusers trust
   every user permitted to create a non-temp table on the publisher or the
   subscriber.
  </p><p>
   The role used for the replication connection must have
   the <code class="literal">REPLICATION</code> attribute (or be a superuser).  If the
   role lacks <code class="literal">SUPERUSER</code> and <code class="literal">BYPASSRLS</code>,
   publisher row security policies can execute.  If the role does not trust
   all table owners, include <code class="literal">options=-crow_security=off</code> in
   the connection string; if a table owner then adds a row security policy,
   that setting will cause replication to halt rather than execute the policy.
   Access for the role must be configured in <code class="filename">pg_hba.conf</code>
   and it must have the <code class="literal">LOGIN</code> attribute.
  </p><p>
   In order to be able to copy the initial table data, the role used for the
   replication connection must have the <code class="literal">SELECT</code> privilege on
   a published table (or be a superuser).
  </p><p>
   To create a publication, the user must have the <code class="literal">CREATE</code>
   privilege in the database.
  </p><p>
   To add tables to a publication, the user must have ownership rights on the
   table. To add all tables in schema to a publication, the user must be a
   superuser. To create a publication that publishes all tables or all tables in
   schema automatically, the user must be a superuser.
  </p><p>
   To create a subscription, the user must be a superuser.
  </p><p>
   The subscription apply process will run in the local database with the
   privileges of the subscription owner.
  </p><p>
   On the publisher, privileges are only checked once at the start of a
   replication connection and are not re-checked as each change record is read.
  </p><p>
   On the subscriber, the subscription owner's privileges are re-checked for
   each transaction when applied. If a worker is in the process of applying a
   transaction when the ownership of the subscription is changed by a
   concurrent transaction, the application of the current transaction will
   continue under the old owner's privileges.
  </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="logical-replication-monitoring.html" title="31.8. Monitoring">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="logical-replication.html" title="Chapter 31. Logical Replication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="logical-replication-config.html" title="31.10. Configuration Settings">Next</a></td></tr><tr><td width="40%" align="left" valign="top">31.8. Monitoring </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 31.10. Configuration Settings</td></tr></table></div></body></html>