Re: Possibility to disable `ALTER SYSTEM` - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Possibility to disable `ALTER SYSTEM`
Date
Msg-id CA+TgmoZVDaw4FoxG4yszE3XC7E21C7porBZ4XzpfTR0HMskcLw@mail.gmail.com
Whole thread Raw
In response to Re: Possibility to disable `ALTER SYSTEM`  (Maciek Sakrejda <m.sakrejda@gmail.com>)
Responses Re: Possibility to disable `ALTER SYSTEM`
List pgsql-hackers
On Thu, Mar 14, 2024 at 5:15 PM Maciek Sakrejda <m.sakrejda@gmail.com> wrote:
> It's not a security feature: it's a usability feature.
>
> It's a usability feature because, when Postgres configuration is
> managed by an outside mechanism (e.g., as in a Kubernetes
> environment), ALTER SYSTEM currently allows a superuser to make
> changes that appear to work, but may be discarded at some point in the
> future when that outside mechanism updates the config. They may also
> be represented incorrectly in a management dashboard if that dashboard
> is based on the values in the outside configuration mechanism, rather
> than values directly from Postgres.
>
> In this case, the end user with access to Postgres superuser
> privileges presumably also has access to the outside configuration
> mechanism. The goal is not to prevent them from changing settings, but
> to offer guard rails that prevent them from changing settings in a way
> that will be unstable (revertible by a future update) or confusing
> (not showing up in a management UI).
>
> There are challenges here in making sure this is _not_ seen as a
> security feature. But I do think the feature itself is sensible and
> worthwhile.

This is what I would have said if I'd tried to offer an explanation,
except you said it better than I would have done.

--
Robert Haas
EDB: http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: Tatsuro Yamada
Date:
Subject: Re: Fix the synopsis of pg_md5_hash
Next
From: Thomas Munro
Date:
Subject: Re: broken JIT support on Fedora 40