Обсуждение: Additional info for CREATE ROLE with REPLICATION
When a logical replication is created and a ROLE with REPLICATION clause is used for that, there is no info on [0] that that role needs to have read permission on those tables. CREATE PUBLICATION and CREATE SUBSCRIPTION commands works as expected but replication doesn't work, only a "access denied" is added on logs.
So it would be good to explain that a GRANT is needed.
regards
Marcos
Вложения
> On Nov 26, 2025, at 05:45, Marcos Pegoraro <marcos@f10.com.br> wrote: > > When a logical replication is created and a ROLE with REPLICATION clause is used for that, there is no info on [0] thatthat role needs to have read permission on those tables. CREATE PUBLICATION and CREATE SUBSCRIPTION commands works asexpected but replication doesn't work, only a "access denied" is added on logs. > > So it would be good to explain that a GRANT is needed. > > [0] - https://www.postgresql.org/docs/current/sql-createrole.html > > regards > Marcos > > <0001-Master - Additional info for create role with REPLICATION.diff> Hi Marcos, The statement you added is correct, however I don’t think it is the right place to add the statement, “create role” justdescribes how to assign the replication attribute. On I found that in logical-replication.html, there is an explanation already: ``` <para> In order to be able to copy the initial table or sequence data, the role used for the replication connection must have the <literal>SELECT</literal> privilege on a published table or sequence (or be a superuser). </para> ``` Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/
Em ter., 25 de nov. de 2025 às 23:22, Chao Li <li.evan.chao@gmail.com> escreveu:
> <0001-Master - Additional info for create role with REPLICATION.diff>
ok, I understand that, but the REPLICATION paragraph says "A role having the REPLICATION attribute is a very highly privileged role". So the user thinks, well, if this role is a highly privileged role, he should have SELECT permission automatically, right ? And it does not, so a warning like this would be fine, I think.
regards
Marcos
On Wednesday, November 26, 2025, Marcos Pegoraro <marcos@f10.com.br> wrote:
Em ter., 25 de nov. de 2025 às 23:22, Chao Li <li.evan.chao@gmail.com> escreveu:> <0001-Master - Additional info for create role with REPLICATION.diff>ok, I understand that, but the REPLICATION paragraph says "A role having the REPLICATION attribute is a very highly privileged role". So the user thinks, well, if this role is a highly privileged role, he should have SELECT permission automatically, right ? And it does not, so a warning like this would be fine, I think.
Maybe the wording “highly privileged” should be reconsidered then to not imply never needing to apply grants.
It also occurs to me, that section probably would be better off with some cross-references to the sections that talk about replication in detail instead of putting the detail here.
So, maybe replace “highly privileged” with “additional grants might be necessary depending on whether you are doing (link) physical or (link) logical replication”.
David J.