Greg Sabino Mullane:
> On Tue, Mar 19, 2024 at 12:05 PM Tom Lane <tgl@sss.pgh.pa.us
> <mailto:tgl@sss.pgh.pa.us>> wrote:
>
> If you aren't willing to build a solution that blocks off mods
> using COPY TO FILE/PROGRAM and other readily-available-to-superusers
> tools (plpythonu for instance), I think you shouldn't bother asking
> for a feature at all. Just trust your superusers.
>
>
> There is a huge gap between using a well-documented standard tool like
> ALTER SYSTEM and going out of your way to modify the configuration files
> through trickery. I think we need to only solve the former as in "hey,
> please don't do that because your changes will be overwritten"
Recap: The requested feature is not supposed to be a security feature.
It is supposed to prevent the admin from accidentally doing the wrong
thing - but not from willfully doing the same through different means.
This very much sounds like a "warning" - how about turning the feature
into one?
Have a GUC warn_on_alter_system = "<message>", which allows the
kubernetes operator to set it to something like "hey, please don't do
that because your changes will be overwritten. Use xyz operator instead.".
This will hardly be taken as a security feature by anyone, but should
essentially achieve what is asked for.
A more sophisticated way would be to make that GUC throw an error, but
have a syntax for ALTER SYSTEM to override this - i.e. similar to a
--force flag.
Best,
Wolfgang
