Mark Stosberg <mark at summersault.com> writes:
> The docs in firstdb.sgml say
>
> "The <envar>REPLICATIONUSER</envar> needs to be a &postgres; superuser."
>
>>From my own testing, that doesn't seem to be true. I connect as a user
> that owns the database it's connecting to (and all objects in it), and
> that seems to be sufficient.
>
> I did use the PostgreSQL super-user for the dump/schema restore and
> adding in the PL/pgSQL language, but it doesn't seem to be necessary
> for the ongoing replication process.
>
> (Or have I just not run into a hidden danger of not being a super-user?)

Most of the time, it does not need to have superuser access.

However, any time schema alterations need to be done, it most
certainly does.

We can point to those moments with some comprehensiveness:
- When installing Slony-I on a node (INIT CLUSTER/STORE NODE)
- When asking to replicate a table (SET ADD TABLE)
- When manipulating subscriptions (SUBSCRIBE SET, MOVE SET, DROP SET)
- DDL (EXECUTE SCRIPT)

It might very well be an interesting project to modify Slony-I to try
to minimize its use of privileges.  That is, to use two users, one
with fairly minimal permissions, and one that is an all-reaching
superuser.  Only those events requiring a superuser would be invoked
by that user.

This would introduce some new complexity in that connections would
need to get opened and closed somewhat more frequently, since certain
events would require superuser access much as others wouldn't.

The perceived increased safety might make this effort worthwhile to
some would-be developer or sponsor.

It seems to me that it would probably be reasonable to do the
partitioning on the basis of events, that is, which events require
superuser access, and which events do not.
-- 
"cbbrowne","@","ca.afilias.info"
<http://dba2.int.libertyrms.com/>
Christopher Browne
(416) 673-4124 (land)