Make superuser imply replication privilege. The idea of a privilege that

superuser doesn't have doesn't make much sense, as a superuser can do
whatever he wants through other means, anyway. So instead of granting
replication privilege to superusers in CREATE USER time by default, allow
replication connection from superusers whether or not they have the
replication privilege.

Patch by Noah Misch, per discussion on bug report #6264

2 files changed, 2 insertions, 12 deletions

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index a90f0b1ffef..9a88c907894 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -239,16 +239,7 @@ CreateRole(CreateRoleStmt *stmt)
 	if (dpassword && dpassword->arg)
 		password = strVal(dpassword->arg);
 	if (dissuper)
-	{
 		issuper = intVal(dissuper->arg) != 0;
-
-		/*
-		 * Superusers get replication by default, but only if NOREPLICATION
-		 * wasn't explicitly mentioned
-		 */
-		if (issuper && !(disreplication && intVal(disreplication->arg) == 0))
-			isreplication = 1;
-	}
 	if (dinherit)
 		inherit = intVal(dinherit->arg) != 0;
 	if (dcreaterole)
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index f9e4dbc0c08..1baa67da9ff 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -659,11 +659,10 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
 	{
 		Assert(!bootstrap);
 
-		/* must have authenticated as a replication role */
-		if (!is_authenticated_user_replication_role())
+		if (!superuser() && !is_authenticated_user_replication_role())
 			ereport(FATAL,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be replication role to start walsender")));
+					 errmsg("must be superuser or replication role to start walsender")));
 
 		/* process any options passed in the startup packet */
 		if (MyProcPort != NULL)