Re: allow_system_table_mods stuff - Mailing list pgsql-hackers
From | Stephen Frost |
---|---|
Subject | Re: allow_system_table_mods stuff |
Date | |
Msg-id | 20190621165855.GP2480@tamriel.snowman.net Whole thread Raw |
In response to | Re: allow_system_table_mods stuff (Tom Lane <tgl@sss.pgh.pa.us>) |
Responses |
Re: allow_system_table_mods stuff
|
List | pgsql-hackers |
Greetings, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > Robert Haas <robertmhaas@gmail.com> writes: > > I kinda feel like we should prohibit DML on system catalogs, even by > > superusers, unless you press the big red button that says "I am > > definitely sure that I know what I'm doing." > > Keep in mind that DML-on-system-catalogs is unfortunately a really > standard hack in extension upgrade scripts. (If memory serves, > some of our contrib scripts do that, and we've certainly told third > parties that it's the only way out of some box or other.) I don't > think we can just shut it off. What you seem to be proposing is to > allow it only after > > SET allow_system_table_mods = on; That's basically what my feeling is, yes. > which would be all right except that an extension script containing > such a command will fail outright in existing releases. I think we > need to be friendlier than that to extension authors who are, for the > most part, trying to work around some deficiency of ours not theirs. As with other cases where someone needs to do DML against the catalog for some reason or another- we should fix that. If there's example cases, great! Let's look at those and come up with a proper solution. Other options include- letting an extension set that GUC (seems likely that any case where this is needed is a case where the extension is installing C functions and therefore is being run by a superuser anyway...), or implicitly setting that GUC when we're running an extension's script (urrggghhhh... I don't care for that one bit, but I like it better than letting any superuser who wishes UPDATE random bits in the catalog). > I'm not saying that DML-off-by-default is a bad goal to work toward; > I'm just saying "mind the collateral damage". Sure, makes sense. > > A related issue is that alter_system_table_mods prohibits both stuff > > that's probably not going to cause any big problem and stuff that is > > almost guaranteed to make the system permanently unusable - e.g. you > > could 'SET STORAGE' on a system catalog column, which is really pretty > > innocuous, or you could change the oid column of pg_database to a > > varlena type, which is guaranteed to destroy the universe. Here > > again, maybe some operations should be more protected than others, or > > maybe the relatively safe things just shouldn't be subject to > > allow_system_table_mods at all. > > Meh. It doesn't really seem to me that distinguishing these cases > is a productive use of code space or maintenance effort. Superusers > are assumed to know what they're doing, and most especially so if > they've hit the big red button. The direction I took the above was that we should actually be thinking about if there are acceptable cases to be running DDL against the catalog and, if so, specifically allow those. I'm not convinced at the moment that any such exist and therefore I'd rather have it denied (unless you push the big red button) and then tell people to show us their use case and then we can decide if it's an 'ok' thing to allow, or what. I'd really like to stop the cases like stackoverflow articles that describe how to "remove" an enum value by simply modifying the catalog, or at least make them have to add a "well, push this big red button first that the PG people tell you never to push, and then.." to the start. Thanks, Stephen
Attachment
pgsql-hackers by date: