On Mon, 2006-07-31 at 09:52 -0400, Tom Lane wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
> > Martijn van Oosterhout wrote:
> >> Maybe someone should look into enabling slony to not run as a
> >> superuser?
>
> > That was my initial reaction to this suggestion. But then I realised
> > that it might well make sense to have a separate connection-limited
> > superuser for Slony purposes (or any other special purpose) alongside an
> > unlimited superuser.
>
> Actually, the real question in my mind is why Slony can't be trusted
> to use the right number of connections to start with. If you don't
> trust it that far, what are you doing letting it into your database as
> superuser to start with?
I generally try to apply reasonable restrictions on all activities that
take place on my systems unless the machine was dedicated for that task
(in which case the limitations are those of the machine).
When things go wrong, and they almost always do eventually, these types
of restrictions ensure that only the one process grinds to a halt
instead of the entire environment.
Cron jobs are another area that are frequently implemented incorrectly.
Implementing checks to see if it is already running is overlooked enough
that I would like to restrict them as well.
This is less important since roles now allow multiple users to take
ownership of a relation; less jobs that need to run as a superuser.
--
