On 2021-Apr-20, Andres Freund wrote:
> On 2021-04-19 13:55:13 -0400, Robert Haas wrote:
> > Another possible approach would be to accept connections for
> > monitoring purposes even during crash recovery. We can't allow access
> > to any database at that point, since the system might not be
> > consistent, but we could allow something like a replication connection
> > (the non-database-associated variant). Maybe it would be precisely a
> > replication connection and we'd just refuse all but a subset of
> > commands, or maybe it would be some other kinds of thing. But either
> > way you'd be able to issue a command in some mini-language saying "so,
> > tell me how startup is going" and it would reply with a result set of
> > some kind.
>
> The hard part about this seems to be how to perform authentication -
> obviously we can't do catalog lookups for users at that time.
Maybe a way to do this would involve some sort of monitoring cookie
that's obtained ahead of time (maybe at initdb time?) and is supplied to
the frontend by some OOB means. Then frontend can present that during
startup to the server, which ascertains its legitimacy without having to
access catalogs. Perhaps it even requires a specific pg_hba.conf rule.
--
Álvaro Herrera Valdivia, Chile
"La verdad no siempre es bonita, pero el hambre de ella sí"
