At Fri, 8 May 2020 01:02:11 -0400, Alvaro Herrera <alvhe...@2ndquadrant.com> wrote in > On 2020-May-07, Tom Lane wrote: > > > FWIW, I would argue that LOGIN permits logging in on a regular SQL > > connection, while REPLICATION should permit logging in on a > > replication connection, and there's no reason for either to depend on > > or require the other. > > I agree with this.
I agree, too. Anyway, it is unreasonable that a user is banned for the lack of replication-attribute after a successful *replication* login. LOG: replication connection authorized: user=user1 application_name=psql FATAL: must be superuser or replication role to start walsender > > >> Also- what about per-database connections? Does having REPLICATION mean > > >> you get to override the CONNECT privileges on a database, if you're > > >> connecting for the purposes of doing logical replication? > > > > No, why would it? Should LOGIN privilege mean you can override > > CONNECT? That's nonsense. You need the respective privilege > > to connect with the protocol you want to connect with, and you > > also need CONNECT on the DB you want to connect to. > > And this. A user can start physical replication without needing CONNECT on any database if it has REPLICATION attribute. That means any user that is allowed logical replication on a specific database (or even no databases) can replicate the whole cluster using physical replication. I don't think it is a proper behavior from the security perspective. It seems to me that we need to restrict physical replication to require CONNECT privilege on all databases, or separate physical replication privilege from logical replication privilege. regards. -- Kyotaro Horiguchi NTT Open Source Software Center