Re: ALTER SYSTEM vs symlink - Mailing list pgsql-hackers
| From | Stephen Frost |
|---|---|
| Subject | Re: ALTER SYSTEM vs symlink |
| Date | |
| Msg-id | 20151102204135.GB3685@tamriel.snowman.net Whole thread Raw |
| In response to | Re: ALTER SYSTEM vs symlink (Robert Haas <robertmhaas@gmail.com>) |
| Responses |
Re: ALTER SYSTEM vs symlink
(Robert Haas <robertmhaas@gmail.com>)
|
| List | pgsql-hackers |
* Robert Haas (robertmhaas@gmail.com) wrote: > On Mon, Nov 2, 2015 at 11:39 AM, Stephen Frost <sfrost@snowman.net> wrote: > > This is all very environment specific. Changes to postgresql.conf, in > > many environments, go through a serious of tests before being deployed > > by a CM system. How do we accomplish the same kind of tests before > > deploying a change with ALTER SYSTEM? We provide no mechanism to do > > that today. > > We provide no mechanism to put the changes to put postgresql.conf > changes through a series of tests before being deployed by a CM > system, either. But you can do that if you want. I'm trying to understand what you're getting at above and how it is actually an argument against my point, and I'm not able to do so. I wasn't suggesting that we need to provide a way for users to vet the changes to postgresql.conf but was rather saying that having ALTER SYSTEM means that if a user already has such a system, it can end up being defeated, as it were, by a user using ALTER SYSTEM. > Two different methods of restricting ALTER SYSTEM have already been > discussed on this thread: one using file permissions, and the other > using ProcessUtility_hook. I personally think that's good enough. The issue which I have with these suggestions is that one requires users to install an as-yet-unwritten module and the other is to hack with permissions in the data directory. As we've all seen, people playing in $PGDATA is generally a bad idea. > It's true that you could have a separate GUC for it, but then somebody > could lock themselves out by turning the GUC on using ALTER SYSTEM, so > now you've made things easier for one group of users while creating a > new pitfall for another group of users. I'm not sure we really come > out ahead, there. We wouldn't have to make it a GUC. If we decided to anyway, we could certainly disable the ability to modify it through ALTER SYSTEM, or ignore it if we find it in postgresql.auto.conf as it surely wouldn't make any sense to have it there. The original idea here was to add an include line for .auto.conf. That would certainly have made me happy. Unfortunately, by not doing that, we've painted ourselves into a corner that's rather ugly to get out of, since we can't now say that such an include line is required for ALTER SYSTEM to work. It wasn't my intent to get into such a discussion regarding ALTER SYSTEM at this time- there are more important activities at hand, and the ship has largely sailed on what I had been asking for originally. Perhaps we can discuss it again in the future but I'm certainly happy to drop the it for now. Thanks! Stephen
pgsql-hackers by date: