+ {"enable_client_connection_trigger", PGC_SU_BACKEND, DEVELOPER_OPTIONS, + gettext_noop("Enables the client_connection event trigger."), + gettext_noop("In case of errors in the ON client_connection EVENT TRIGGER procedure, " ..and.. + /* + * Try to ignore error for superuser to make it possible to login even in case of errors + * during trigger execution + */ + if (!is_superuser) + PG_RE_THROW(); This patch adds two ways for superusers to bypass this event trigger in case of it being faulty, but for every other event trigger we've documented to restart in single-user mode and fixing it there. Why does this need to be different? This clearly has a bigger chance of being a footgun but I don't see that as a reason to add a GUC and a bypass that other footguns lack.
In the time when event triggers were introduced, managed services were not too widely used like now. When we discussed this feature we thought about environments when users have no superuser rights and have no possibility to go to single mode.
Personally, I prefer to introduce some bypassing for event triggers instead of removing bypass from login triggers.
