File tree 1 file changed +19
-3
lines changed
Filter options
1 file changed +19
-3
lines changed
Original file line number Diff line number Diff line change 513513 <sect1 id="logical-replication-security">
514514 <title>Security</title>
515515
516+ <para>
517+ A user able to modify the schema of subscriber-side tables can execute
518+ arbitrary code as a superuser. Limit ownership
519+ and <literal>TRIGGER</literal> privilege on such tables to roles that
520+ superusers trust. Moreover, if untrusted users can create tables, use only
521+ publications that list tables explicitly. That is to say, create a
522+ subscription <literal>FOR ALL TABLES</literal> only when superusers trust
523+ every user permitted to create a non-temp table on the publisher or the
524+ subscriber.
525+ </para>
526+
516527 <para>
517528 The role used for the replication connection must have
518- the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be
519- configured in <filename>pg_hba.conf</filename> and it must have the
520- <literal>LOGIN</literal> attribute.
529+ the <literal>REPLICATION</literal> attribute (or be a superuser). If the
530+ role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>,
531+ publisher row security policies can execute. If the role does not trust
532+ all table owners, include <literal>options=-crow_security=off</literal> in
533+ the connection string; if a table owner then adds a row security policy,
534+ that setting will cause replication to halt rather than execute the policy.
535+ Access for the role must be configured in <filename>pg_hba.conf</filename>
536+ and it must have the <literal>LOGIN</literal> attribute.
521537 </para>
522538
523539 <para>
You can’t perform that action at this time.
0 commit comments