Geo: Failover can be done by any user
I noticed that the PostgreSQL trigger file is /tmp/postgresql.trigger
. Does that mean that any user logged in can initiate a Geo failover on the secondary by creating the file? This seems like a giant security hole.
/cc: @brodock, @nick.thomas
-
change default recovery.conf
template to not includetrigger_file
-
fix gitlab-ctl promote-to-primary-node
to usepg_ctl promote
instead oftouch /tmp/postgresql.trigger
Merge Requests:
- master: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/55
- 10.5: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/56
- 10.4: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/57
- master: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/586 (documentation fix for source install)
Edited by Gabriel Mazetto