<note>
<para>
It is recommended that a dedicated user account is used for replication.
- While it is possible to add the <literal>REPLICATION</> privilege to
- a superuser account for the purporses of replication, this is not
- recommended. While <literal>REPLICATION</> privilege gives very high
+ While the <literal>REPLICATION</> privilege is granted to superuser
+ accounts by default, it is not recommended to use superuser accounts
+ for replication. While <literal>REPLICATION</> privilege gives very high
permissions, it does not allow the user to modify any data on the
primary system, which the <literal>SUPERUSER</> privilege does.
</para>
A role having the <literal>REPLICATION</> attribute is a very
highly privileged role, and should only be used on roles actually
used for replication. If not specified,
- <literal>NOREPLICATION</literal> is the default.
+ <literal>NOREPLICATION</literal> is the default for all roles except
+ superusers.
</para>
</listitem>
</varlistentry>
to do most of your work as a role that is not a superuser.
To create a new database superuser, use <literal>CREATE ROLE
<replaceable>name</replaceable> SUPERUSER</literal>. You must do
- this as a role that is already a superuser.
+ this as a role that is already a superuser. Creating a superuser
+ will by default also grant permissions to initiate streaming
+ replication. For increased security this can be disallowed using
+ <literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER
+ NOREPLICATION</literal>.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
A role must explicitly be given permission to initiate streaming
- replication (superusers do not bypass this check). A role used
- for streaming replication must always have <literal>LOGIN</>
- permission as well. To create such a role, use
+ replication. A role used for streaming replication must always
+ have <literal>LOGIN</> permission as well. To create such a role, use
<literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION
LOGIN</literal>.
</para>
if (dpassword && dpassword->arg)
password = strVal(dpassword->arg);
if (dissuper)
+ {
issuper = intVal(dissuper->arg) != 0;
+ /*
+ * Superusers get replication by default, but only if
+ * NOREPLICATION wasn't explicitly mentioned
+ */
+ if (!(disreplication && intVal(disreplication->arg) == 0))
+ isreplication = 1;
+ }
if (dinherit)
inherit = intVal(dinherit->arg) != 0;
if (dcreaterole)
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 201101031
+#define CATALOG_VERSION_NO 201101051
#endif
* user choices.
* ----------------
*/
-DATA(insert OID = 10 ( "POSTGRES" t t t t t t f -1 _null_ _null_ ));
+DATA(insert OID = 10 ( "POSTGRES" t t t t t t t -1 _null_ _null_ ));
#define BOOTSTRAP_SUPERUSERID 10
projects / postgresql / commitdiff