Re: Streaming replication as a separate permissions

On Mon, Dec 27, 2010 at 14:25, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
> On Mon, 2010-12-27 at 12:00 +0100, Magnus Hagander wrote:
>> On Mon, Dec 27, 2010 at 11:34, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
>> > On Mon, 2010-12-27 at 10:36 +0100, Magnus Hagander wrote:
>> >> > Is backup part of this new privilege, or not?
>> >>
>> >> The "integrated base backup", once we have that, that's based on the
>> >> walsender protocol? yes.
>> >> pg_dump style backups? No.
>> >
>> > Where does pg_start_backup()/stop fit?
>>
>> Good question :)
>>
>> Given that the integrated-base-backup would call it for you, that one
>> would definitely get it automatically.
>>
>> Given that the latest discissions seem to have most people wanting the
>> replication role *not* to be allowed to log in and run general SQL, we
>> should not drive the start/stop backup permissions from that
>> privilege.
>
> So what your suggesting would actually defeat the purpose of having the
> new privilege. Unless we trust in a new, untried method. Hmmm.

No, it doesn't.

In my experience, most DBAs will connect with their DBA account
(usually the superuser, yes..) to run pg_start_backup() and
pg_stop_backup(). That's no reason to let the slave sever run with
superuser privileges all the time...

That said, I agree that the we shouldn't *prevent* the DBA from
setting up an account that is both superuser and replicator - just
that we shouldn't do it by default.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/