Re: Streaming replication as a separate permissions
Peter Eisentraut <peter_e@gmx.net>
From: Peter Eisentraut <peter_e@gmx.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Josh Berkus <josh@agliodbs.com>, Robert Haas <robertmhaas@gmail.com>, Magnus Hagander <magnus@hagander.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-12-30T14:54:28Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow Win32 to compile under MinGW. Major changes are:
- 12c942383296 7.4.1 cited
On tor, 2010-12-23 at 17:29 -0500, Tom Lane wrote: > Josh Berkus <josh@agliodbs.com> writes: > > On 12/23/10 2:21 PM, Tom Lane wrote: > >> Well, that's one laudable goal here, but "secure by default" is another > >> one that ought to be taken into consideration. > > > I don't see how *not* granting the superuser replication permissions > > makes things more secure. The superuser can grant replication > > permissions to itself, so why is suspending them by default beneficial? > > I'm not following your logic here. > > Well, the reverse of that is just as true: if we ship it without > replication permissions on the postgres user, people can change that if > they'd rather not create a separate role for replication. But I think > we should encourage people to NOT do it that way. Setting it up that > way by default hardly encourages use of a more secure arrangement. I think this argument is a bit inconsistent in the extreme. You might as well argue that a superuser shouldn't have any permissions by default, to discourage users from using it. They can always grant permissions back to it. I don't see why this particular one is so different. If we go down this road, we'll end up with a mess of permissions that a superuser has and doesn't have.