Re: Questions about the new subscription parameter: password_required

Benoit Lobréau Fri, 13 Oct 2023 02:18:56 -0700

On 9/23/23 03:57, Jeff Davis wrote:

IIUC there is really one use case here, which is for superuser to
define a subscription including the connection, and then change the
owner to a non-superuser to actually run it (without being able to
touch the connection string itself). I'd just document that in its own
section, and mention a few caveats / mistakes to avoid. For instance,
when the superuser is defining the connection, don't forget to set
password_required=false, so that when you reassign to a non-superuser
then the connection doesn't break.

Hi,

I tried adding a section in "Logical Replication > Subscription" withthe text you suggested and links in the CREATE / ALTER SUBSRIPTION commands.


Is it better ?

--
Benoit Lobréau
Consultant
http://dalibo.com

From f3f1b0ce8617971b173ea901c9735d8357955aa2 Mon Sep 17 00:00:00 2001
From: benoit <benoit.lobr...@dalibo.com>
Date: Thu, 12 Oct 2023 16:45:11 +0200
Subject: [PATCH] Doc patch for password_required

Add documentation regarding non-superuser subscriptions with
password_required=true.
---
 doc/src/sgml/logical-replication.sgml     | 32 +++++++++++++++++++++++
 doc/src/sgml/ref/alter_subscription.sgml  |  3 ++-
 doc/src/sgml/ref/create_subscription.sgml |  3 ++-
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index 3b2fa1129e..c3faaf88cd 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -329,6 +329,38 @@
    </para>
   </sect2>
 
+  <sect2 id="logical-replication-subscription-password-required">
+   <title>Password required</title>
+
+   <para>
+    <literal>password_required</literal> is a subscription parameter which specifies whether
+    connections to the publisher made as a result of this subscription must
+    use password authentication. This setting is ignored when the subscription
+    is owned by a superuser and set to <literal>true</literal> by default.
+   </para>
+
+   <para>
+    If you want to have a subscription managed by a non-superuser with a connection string without
+    a password, you have to set <literal>password_required = false</literal> before transferring it's
+    ownership. In that case, only superusers can modify the subscription.
+   <programlisting>
+test_pub=# CREATE SUBSCRIPTION test_sub CONNECTION 'host=somehost port=5432 user=repli dbname=tests_pub' PUBLICATION test_pub WITH (password_required=false);
+CREATE SUBSCRIPTION
+test_pub=# ALTER SUBSCRIPTION test_sub OWNER TO new_sub_owner;
+ALTER SUBSCRIPTION
+   </programlisting>
+   </para>
+
+   <warning>
+   <para>
+   If the connection string doesn't contain a password or the publication
+   side doesn't require a password during authentication and you have set
+   <literal>password_required = true</literal>before transferring ownership,
+   the subscription will start failing.
+   </para>
+   </warning>
+  </sect2>
+
   <sect2 id="logical-replication-subscription-examples">
     <title>Examples: Set Up Logical Replication</title>
 
diff --git a/doc/src/sgml/ref/alter_subscription.sgml b/doc/src/sgml/ref/alter_subscription.sgml
index a85e04e4d6..e061c96937 100644
--- a/doc/src/sgml/ref/alter_subscription.sgml
+++ b/doc/src/sgml/ref/alter_subscription.sgml
@@ -50,7 +50,8 @@ ALTER SUBSCRIPTION <replaceable class="parameter">name</replaceable> RENAME TO <
    <literal>CREATE</literal> permission on the database. In addition,
    to alter the owner, you must be able to <literal>SET ROLE</literal> to the
    new owning role. If the subscription has
-   <literal>password_required=false</literal>, only superusers can modify it.
+   <literal>password_required=false</literal>, only superusers can modify it
+   (See <xref linkend="logical-replication-subscription-password-required"/>).
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_subscription.sgml b/doc/src/sgml/ref/create_subscription.sgml
index c1bafbfa06..33ad3d12c7 100644
--- a/doc/src/sgml/ref/create_subscription.sgml
+++ b/doc/src/sgml/ref/create_subscription.sgml
@@ -361,7 +361,8 @@ CREATE SUBSCRIPTION <replaceable class="parameter">subscription_name</replaceabl
           of this subscription must use password authentication. This setting
           is ignored when the subscription is owned by a superuser.
           The default is <literal>true</literal>. Only superusers can set
-          this value to <literal>false</literal>.
+          this value to <literal>false</literal>
+          (See <xref linkend="logical-replication-subscription-password-required"/>).
          </para>
         </listitem>
        </varlistentry>
-- 
2.41.0

Re: Questions about the new subscription parameter: password_required

Reply via email to