Re: Streaming replication as a separate permissions

Magnus Hagander <magnus@hagander.net> writes:
> On Thu, Dec 23, 2010 at 16:57, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Thu, Dec 23, 2010 at 10:54 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> I don't particularly mind breaking that. �If we leave it as-is, we'll
>>> be encouraging people to use superuser accounts for things that don't
>>> need that, which can't be good from a security standpoint.

>> And if we break it, we'll be adding an additional, mandatory step to
>> make replication work that isn't required today. �You might think
>> that's OK, but I think the majority opinion is that it's already
>> excessively complex.

> Most of the people I run across in the real world are rather surprised
> how *easy* it is to set up, and not how complex. And tbh, the only
> complexity complaints I've heard there are about the requirement to
> start/backup/stop to get it up and running. I've always told everybody
> to create a separate account to do it, and not heard a single comment
> about that.

FWIW, it seems unreasonable to me to expect that we will not be breaking
any part of a 9.0 replication configuration over the next release or
two.  We *knew* we were shipping a rough version that would require
refinements, and this is one of the planned refinements.

> That said, how about a compromise in that we add the replication flag
> by default to the initial superuser when it's created? That way, it's
> at least possible to remove it if you want to. Would that address your
> complexity concern?

It does nothing to address my security concern.  I want to discourage
people from using superuser accounts for this, full stop.
        regards, tom lane