Greetings,
* Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
> On 2020-Jun-24, Kyotaro Horiguchi wrote:
>
> > In logical replication, a replication role is intended to be
> > accessible only to the GRANTed databases. On the other hand the same
> > role can create a dead copy of the whole cluster, including
> > non-granted databases.
>
> In other words -- essentially, if you grant replication access to a role
> only to a specific database, they can steal the whole cluster.
>
> I don't see what's so great about that, but apparently people like it.
Sure, people who aren't in charge of security I'm sure like the ease of
use.
Doesn't mean it makes sense or that we should be supporting that. What
we should have is a way to allow administrators to configure a system
for exactly what they want to allow, and it doesn't seem like we're
doing that today and therefore we should fix it. This isn't the only
area we have that issue in.
Thanks,
Stephen