Security Considerations

4.11. Security Considerations

The simplest and most common way of deploying Slony-I has been to create a Slony-I database user account on all nodes in the system and give that account database superuser privileges. This allows Slony-I to do "anything it needs."

In some environments, this is too much privilege to give out to an automated system, so this section describes how to minimize the privileges given out.

4.11.1. Minimum Privileges

The minimum privileges for running each component of Slony-I may be more specifically described.

slonik

The slonik admin connections need to connect to the database as a database superuser. As part of the installation of Slony-I, the slonik program will create C language functions in the database. This requires superuser access. Some slonik commands will enable and disable indicies which by manipulating pg_class. This also requires superuser access.

slon Local Connection

Each slon instance has a 'local' database connection. This is the database connection that is specified on the either the slon command line or the slon configuration file.

Slon needs to connect to this database with considerable "write" privileges, and requires superuser access in a couple of places.

It must be able to

  • Alter pg_class to deactivate indices when preparing to COPY a table

  • Make alterations to any of the Slony-I created tables

  • Make modifications (INSERT/UPDATE/DELETE/ALTER) to all replicated tables.

slon Remote Connections

The Remote slon connection information is specified in the SLONIK STORE PATH command when adding paths. The slon daemon needs to connect to remote databases with sufficient permissions to:

  • SELECT from sl_event

  • SELECT the sl_log_1 and sl_log_2 tables

  • SELECT any replicated tables that originate on the remote node. This is done as part of the initial COPY during the subscription process

Note that this role does not have any need to modify data; it purely involves SELECT access.

4.11.2. Lowering Authority Usage from Superuser

Traditionally, it has been stated that "Slony-I needs to use superuser connections." It turns out that this is not actually true, and and if there are particular concerns about excessive use of superuser roles, it is possible to reduce the "security demands" of Slony-I considerably.

It is simplest to have the replication management user be a superuser, as, in that case, one need not think about what permissions to configure, but this is excessive.

There is only actually one place where Slony-I truly requires superuser access, and that is during the subscription process, as it uses a "hack" to substantially improve performance, updating the system catalogue directly to shut off indices during the COPY. This functionality is restricted to two functions, as of version 2.1, with disable_indexes_on_table() and enable_indexes_on_table(), which may appropriate superuser permissions if configured with SECURITY DEFINER. If these two functions are owned by a superuser, then that is all the database superuser access that is required.

One could set up a "weak user" assigned to all slon requests. The minimal permissions that this user, let's call it weakuser, requires are as follows:

  • It must have read access to the Slony-I-specific namespace

  • It must have read access to all tables and sequences in that namespace

  • It must have write access to the Slony-I table sl_nodelock and sequence sl_nodelock_nl_conncnt_seq

  • At subscribe time, it must have read access to all of the replicated tables.

    Outside of subscription time, there is no need for access to access to the replicated tables.

  • There is some need for read access to tables in pg_catalog; it has not been verified how little access would be suitable.

  • As mentioned, the functions for disabling and re-enabling indexes during the subscription process must be owned by a superuser, and must be accessible to the "weak user."

4.11.3. Other Good Security Practices

In order to be able to clearly identify which logical roles are being used, it seems advisable to set up users specifically for use by replication, one or more slony users.

As already discussed, these users may have specific permissions attached to indicate what capabilities they are intended to have.

It is also useful for these users to be present so that system monitoring and log monitoring processes are apprised of "who" is doing things in the environment.