On Thu, Dec 23, 2010 at 16:57, Robert Haas <robertmhaas@gmail.com> wrote:
> On Thu, Dec 23, 2010 at 10:54 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Robert Haas <robertmhaas@gmail.com> writes:
>>> I haven't looked at the patch yet, but I think we should continue to
>>> allow superuser-ness to be *sufficient* for replication - i.e.
>>> superusers will automatically have the replication privilege just as
>>> they do any other - and merely allow this as an option for when you
>>> want to avoid doing it that way.
>>
>> I don't particularly mind breaking that. If we leave it as-is, we'll
>> be encouraging people to use superuser accounts for things that don't
>> need that, which can't be good from a security standpoint.
>
> And if we break it, we'll be adding an additional, mandatory step to
> make replication work that isn't required today. You might think
> that's OK, but I think the majority opinion is that it's already
> excessively complex.
Most of the people I run across in the real world are rather surprised
how *easy* it is to set up, and not how complex. And tbh, the only
complexity complaints I've heard there are about the requirement to
start/backup/stop to get it up and running. I've always told everybody
to create a separate account to do it, and not heard a single comment
about that.
That said, how about a compromise in that we add the replication flag
by default to the initial superuser when it's created? That way, it's
at least possible to remove it if you want to. Would that address your
complexity concern?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/