patroni: Repeat ! Exception when working with leader ... in check_leader_is_not_in_recovery ... permission denied for database "postgres"

Please return to the problem from Issue. #2256

CyberDem0n It proposes to give the right to connect the user to the REPLICATION and thus give it more rights than it is necessary - processing the replication protocol.

I think this approach is wrong. The documentation clearly said - do not give rights more than required. STREAMING-REPLICATION-AUTHENTICATION

The Patroni settings have a place to establish a separate user, which is used in this part of the code in meaning!

authentication:
    rewind:

Commit https://github.com/zalando/patroni/commit/3e1076a5746b4d7f313eaba0ff374824644c8ab1fully removed this opportunity.

Be able to build system security in the desired way an important advantage! Otherwise, everyone would always worked from the rights of SuperUser 😃

However, this is not.

CyberDem0n This approach destroys the security of the system!

Please roll back this COMMIT!

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 24 (11 by maintainers)

Most upvoted comments

I still don’t understand why, in response to issue https://github.com/zalando/patroni/issues/2162, you simply didn’t indicate what is required in this case to use a separate user rewind (which is applicable for these cases in your config and code ), but changed the requirements for replication user rights, and the credentials of the check_leader_is_not_in_recovery() function. It is not correct.

+1
xinferum on Mar 31, 2022
Read more comments on GitHub
← patroni: Recovery error when using custom bootstrap and recovery_target_action: pause
patroni: Replication connection error: could not connect to server: FATAL: password authentication failed for user "replicator" →