Re: Streaming replication as a separate permissions

On Mon, Dec 27, 2010 at 14:51, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
> On Mon, 2010-12-27 at 14:41 +0100, Magnus Hagander wrote:
>> >> >
>> >> > Where does pg_start_backup()/stop fit?
>> >>
>> >> Good question :)
>> >>
>> >> Given that the integrated-base-backup would call it for you, that one
>> >> would definitely get it automatically.
>> >>
>> >> Given that the latest discissions seem to have most people wanting the
>> >> replication role *not* to be allowed to log in and run general SQL, we
>> >> should not drive the start/stop backup permissions from that
>> >> privilege.
>> >
>> > So what your suggesting would actually defeat the purpose of having the
>> > new privilege. Unless we trust in a new, untried method. Hmmm.
>>
>> No, it doesn't.
>>
>> In my experience, most DBAs will connect with their DBA account
>> (usually the superuser, yes..) to run pg_start_backup() and
>> pg_stop_backup(). That's no reason to let the slave sever run with
>> superuser privileges all the time...
>
> Remember the standby's superuser id is exactly the same as the main
> server's superuserid. So unless you are going to stop the standby from
> knowing its own superusers there's no huge benefit there. Is that what
> you mean to do?

I'm sorry, I have no idea what you mean by that.

You will certainly be able to log into the standby with a superuser
account, nobody is preventing that. This is about protecting the
*master*. For example, from modifications made by a user who hacked
the standby.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/