doc: Add note about lack of publication privileges

This gives some additional advice on using row filters and column lists on publications securely. Author: Antonin Houska <ah@cybertec.at> Reviewed-by: Euler Taveira <euler@eulerto.com> Discussion: https://www.postgresql.org/message-id/flat/20330.1652105397@antos
2025-03-01 19:45:33 +08:00 · 2022-11-01 14:18:37 +01:00 · 2022-11-01 14:18:37 +01:00 · 84387fc889
commit 84387fc889
parent 2ea5de296e
1 changed files with 11 additions and 0 deletions
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@ -1570,6 +1570,17 @@ CONTEXT:  processing remote data for replication origin "pg_16395" during "INSER
   schema automatically, the user must be a superuser.
  </para>

+  <para>
+   There are currently no privileges on publications.  Any subscription (that
+   is able to connect) can access any publication.  Thus, if you intend to
+   hide some information from particular subscribers, such as by using row
+   filters or column lists, or by not adding the whole table to the
+   publication, be aware that other publications in the same database could
+   expose the same information.  Publication privileges might be added to
+   <productname>PostgreSQL</productname> in the future to allow for
+   finer-grained access control.
+  </para>
+
  <para>
   To create a subscription, the user must be a superuser.
  </para>