Thread: Per-database and per-user GUC settings
As hinted somewhere within the schema-objects thread, I'm implementing GUC
settings that are stored in the pg_shadow and pg_database system catalogs
and are activated in sessions for that user or database.
The basic functionality is done, although two issues sort of need a show
of hands. First, the order in which these settings are processed: I
figured user should be last. I've also got these settings for each group,
but this would mean that if a user is a member of more than one group he
gets a rather random processing order. Any comments on that? If the
group thing stays, I think the most reasonable processing order is
database, groups, user, since it would be weird to have database between
groups and user.
Second, we need a few commands to set these things. My first thought was
SET {USER name | DATABASE name} [SESSION] DEFAULT varname TO value;
but it would also make sense to have
ALTER {USER name | DATABASE name} SET DEFAULT varname TO value;
Or there could be other permutations that are more or less wordy.
Suggestions? Perhaps a reference to another RDBMS can give a hint.
--
Peter Eisentraut peter_e@gmx.net
Peter Eisentraut <peter_e@gmx.net> writes:
> The basic functionality is done, although two issues sort of need a show
> of hands. First, the order in which these settings are processed: I
> figured user should be last.
Meaning the user setting wins if there's a conflict? Fine.
> I've also got these settings for each group,
> but this would mean that if a user is a member of more than one group he
> gets a rather random processing order.
That bothers me; seems like it'll bite someone sooner or later. And I
don't see a compelling reason to have per-group settings if we have the
other two.
One issue you didn't mention is what security level these options are
assumed to have by GUC. That plays into what permissions are needed to
issue the SET/ALTER commands.
regards, tom lane
Tom Lane writes: > One issue you didn't mention is what security level these options are > assumed to have by GUC. That plays into what permissions are needed to > issue the SET/ALTER commands. Right. My design was, the SET/ALTER commands are allowed to be executed by the user for his own pg_shadow record, the database owner for his pg_database record, and superusers for everything. (Hmm, good we're not doing the group thing. Would have gotten tricky here.) Normal users can only add USERSET settings. Other settings provoke a NOTICE at runtime (if they happen to sneak in somehow) and will otherwise be ignored. Superusers can also add SUSET records to their per-user settings. I'm currently unsure about whether to allow superusers to add SUSET settings to the per-database settings, because it would mean that the database session would behave differently depending on what user invokes it. And since it's not widely known what settings have what permission, I'm afraid it could be confusing. On the other hand, superusers should know what they're doing. -- Peter Eisentraut peter_e@gmx.net
> Superusers can also add SUSET records to their per-user settings. I'm > currently unsure about whether to allow superusers to add SUSET settings > to the per-database settings, because it would mean that the database > session would behave differently depending on what user invokes it. Imho if the dba adds SUSET's to the per-database settings it should be set regardless of the user's privs. (Set with elevated rights) This setting would then be forced on the user, because he himself does not have the privs to change it himself. Andreas
"Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at> writes:
>> Superusers can also add SUSET records to their per-user settings. I'm
>> currently unsure about whether to allow superusers to add SUSET settings
>> to the per-database settings, because it would mean that the database
>> session would behave differently depending on what user invokes it.
> Imho if the dba adds SUSET's to the per-database settings it should be
> set regardless of the user's privs. (Set with elevated rights)
Yes, it would seem to make more sense to verify the privilege level of
the GUC variables during the SET/ALTER command, and then execute them
more-or-less unconditionally during actual startup. During the SET/ALTER
command you know who is trying to insert the value, and you can let
superusers and db owners do more than average users. But once the
variable has been successfully inserted, it should apply to everyone.
Example application: suppose we had a SUSET-level variable that controls
priority level of a backend (which we don't, but it makes a good example
case here). The superuser should be able to set this variable in the
per-user settings of a particular user; the user should then be unable
to change it himself. Note this is a different case from Andreas'
example of a per-database setting, but I agree with his example too.
regards, tom lane
Tom Lane writes: > Yes, it would seem to make more sense to verify the privilege level of > the GUC variables during the SET/ALTER command, and then execute them > more-or-less unconditionally during actual startup. OK, that makes sense to me, too. -- Peter Eisentraut peter_e@gmx.net
I've thought of some issues that I think will need to be addressed
before per-database/per-user GUC settings can become useful.
One thing that's bothered me for awhile is that GUC doesn't retain
any memory of how a variable acquired its present value. It tries to
resolve conflicts between different sources of values just by processing
the sources in "the right order". However this cannot work in general.
Some examples:
1. postgresql.conf contains a setting for some variable, say
sort_mem=1000. DBA starts postmaster with a command-line option to
override the variable, say --sort_mem=2000. Works fine, until he
SIGHUPs the postmaster for some unrelated reason, at which point
sort_mem snaps back to 1000.
2. User starts a session and says SET sort_mem=2000. Again, he
successfully overrides the postgresql.conf value ... but only as
long as he doesn't get SIGHUP'd.
These problems will get very substantially worse once we add
per-database and per-user GUC settings to the set of possible
value sources. I believe the correct fix is for GUC to define
a prioritized list of value sources (similar to the existing
PGC_ settings, but probably not quite the same) and remember which
source gave the current setting for each variable. Comparing that
to the source of a would-be new value tells you whether to accept
or ignore the new value. This would make GUC processing
order-insensitive which would be a considerable improvement (eg,
I think you could get rid of the ugly double-scan-of-options hack
in postmaster.c).
Another thought: DBAs will probably expect that if they change
per-database/per-user GUC settings, they can SIGHUP to make existing
backends take on those settings. Can we support this? If the
HUP is received outside any transaction then I guess we could start
a temporary transaction to read the tables involved. If we try to
process HUP at a command boundary inside a transaction then we risk
aborting the whole user's transaction if there's an error. Arguably
HUP should not be accepted while a transaction is in progress anyway,
so the simplest answer might be to not process HUP until we are at
the idle loop and there's no open transaction block.
The whole subject of reacting to errors in the per-database/per-user GUC
settings needs more thought, too. Worst case scenario: superuser messes
up his own per-user GUC settings to the point that he can't log in
anymore. Can we provide an escape hatch, or is he looking at an initdb
situation (without even the chance to run pg_dump first :-()? I think
the GUC code presently tries to avoid any elog while processing
postgresql.conf, so that it won't be the cause of backend startup
failures, but I'm not convinced that that approach scales. Certainly
if we are reading tables we cannot absolutely guarantee no elog.
regards, tom lane
Tom Lane writes: > One thing that's bothered me for awhile is that GUC doesn't retain > any memory of how a variable acquired its present value. It tries to > resolve conflicts between different sources of values just by processing > the sources in "the right order". However this cannot work in general. > Some examples: > > 1. postgresql.conf contains a setting for some variable, say > sort_mem=1000. DBA starts postmaster with a command-line option to > override the variable, say --sort_mem=2000. Works fine, until he > SIGHUPs the postmaster for some unrelated reason, at which point > sort_mem snaps back to 1000. This sort of thing was once considered a feature, until someone came along and overloaded SIGHUP for unreleated things. ;-) However, possibly this could be covered if we just didn't propagate the SIGHUP signal to the postmaster's children. For pg_hba.conf and friends, you don't need it at all once a session is started, and for postgresql.conf, the value of the "feature" is at least doubtful. Intuitively, the admin would probably expect his new settings to take effect in newly started sessions. If he wants to alter existing sessions it's probably best to signal the backend processes explicitly. > Another thought: DBAs will probably expect that if they change > per-database/per-user GUC settings, they can SIGHUP to make existing > backends take on those settings. I must disagree with this expectation. SIGHUP is restricted to re-reading configuations files. The per-database/per-user settings behave, in my mind, like SET commands executed immediately before the session loop starts. So once that session has started, they are no longer relevant. Imagine, a user edits his own convenience settings and the admin jumps in and edits some other unrelated setting in the same array -- all the sudden the user's new settings get activated. Admins probably don't want to interfere with users' running sessions, especially not asynchronously (from the user's point of view). If they don't like what the user is doing, kill the session. Otherwise they may do more harm than good. Now that I write this, not propagating the SIGHUP is something I would really favour. > The whole subject of reacting to errors in the per-database/per-user GUC > settings needs more thought, too. Worst case scenario: superuser messes > up his own per-user GUC settings to the point that he can't log in > anymore. Yes, that is one of my concerns too, but I don't see me rewiring the whole exception handling in the backend because of this. Consider, what is "messed up"? We don't have options that prevent login. Invalid option strings are effectively ignored. If you cannot read pg_database or pg_shadow you have more fundamental problems and you most likely won't get to the options processing at all. > Can we provide an escape hatch, or is he looking at an initdb > situation (without even the chance to run pg_dump first :-()? If the database settings are still messed up, you still have template1. (You generally wouldn't put actual settings into template1. -- You might as well put them into postgresql.conf then.) If template1 is blocked or the user's settings are messed up, you have a more fundamental problem, but it's not dissimilar to deleting all your users. We have an escape hatch for that: Start a standalone backend. (No options would be processed in that case.) -- Peter Eisentraut peter_e@gmx.net
> > 1. postgresql.conf contains a setting for some variable, say > > sort_mem=1000. DBA starts postmaster with a command-line option to > > override the variable, say --sort_mem=2000. Works fine, until he > > SIGHUPs the postmaster for some unrelated reason, at which point > > sort_mem snaps back to 1000. > > This sort of thing was once considered a feature, until someone came along > and overloaded SIGHUP for unreleated things. ;-) I agree we should not propagate config changes to children on SIGHUP. The only major question I had was that command-line flags get wiped out by postgresql.conf settings on SIGHUP. I know someone pointed this out but has a solution been proposed? That would surprise any admin. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian wrote: > > > 1. postgresql.conf contains a setting for some variable, say > > > sort_mem=1000. DBA starts postmaster with a command-line option to > > > override the variable, say --sort_mem=2000. Works fine, until he > > > SIGHUPs the postmaster for some unrelated reason, at which point > > > sort_mem snaps back to 1000. > > > > This sort of thing was once considered a feature, until someone came along > > and overloaded SIGHUP for unreleated things. ;-) > > I agree we should not propagate config changes to children on SIGHUP. > The only major question I had was that command-line flags get wiped out > by postgresql.conf settings on SIGHUP. I know someone pointed this > out but has a solution been proposed? That would surprise any admin. Added to TODO: * Prevent SIGHUP and 'pg_ctl reload' from changing command line specified parameters to postgresql.conf defaults -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Peter Eisentraut wrote: > Bruce Momjian writes: > > > I agree we should not propagate config changes to children on SIGHUP. > > The only major question I had was that command-line flags get wiped out > > by postgresql.conf settings on SIGHUP. I know someone pointed this > > out but has a solution been proposed? That would surprise any admin. > > I think it's desirable and fully intentional. How else would you override > command-line args without restarting the server? I can see where there > might be a concern, but in my mind, if you're using command-line arguments > in permanent setups, you're not trying hard enough. But right now, our command-line arguments override postgresql.conf only on startup; if they reload, postgresql.conf overrides command-line args. Seems very counter-intuitive to me. I can't think of an acceptable solution so the best one may be to just remove the command-line args completely. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian writes: > I agree we should not propagate config changes to children on SIGHUP. > The only major question I had was that command-line flags get wiped out > by postgresql.conf settings on SIGHUP. I know someone pointed this > out but has a solution been proposed? That would surprise any admin. I think it's desirable and fully intentional. How else would you override command-line args without restarting the server? I can see where there might be a concern, but in my mind, if you're using command-line arguments in permanent setups, you're not trying hard enough. -- Peter Eisentraut peter_e@gmx.net
Peter Eisentraut <peter_e@gmx.net> writes:
> Tom Lane writes:
>> 1. postgresql.conf contains a setting for some variable, say
>> sort_mem=1000. DBA starts postmaster with a command-line option to
>> override the variable, say --sort_mem=2000. Works fine, until he
>> SIGHUPs the postmaster for some unrelated reason, at which point
>> sort_mem snaps back to 1000.
> This sort of thing was once considered a feature, until someone came along
> and overloaded SIGHUP for unreleated things. ;-)
Overloaded? SIGHUP still means what it's usually taken to mean, ie,
"re-read your configuration files". Whether the configuration data
lives in one file or several doesn't mean much AFAICS. In particular,
if I override a config setting with a command-line switch, I wouldn't
expect that overriding to stop working when I try to change some
unrelated value in postgresql.conf.
> However, possibly this could be covered if we just didn't propagate the
> SIGHUP signal to the postmaster's children. For pg_hba.conf and friends,
> you don't need it at all once a session is started, and for
> postgresql.conf, the value of the "feature" is at least doubtful.
> Intuitively, the admin would probably expect his new settings to take
> effect in newly started sessions. If he wants to alter existing sessions
> it's probably best to signal the backend processes explicitly.
I disagree with these conclusions entirely. If SIGHUP causes an
already-running postmaster to respond to config-file changes, why not
already-running backends too? If we had a monolithic server
implementation that didn't have any clear distinction between parent
and child processes, surely you'd not make the above argument. But
more to the point, I can see clear usefulness to the DBA in being able
to get existing backends to respond to config changes; I can't see any
clear usefulness in failing to do so.
>> Another thought: DBAs will probably expect that if they change
>> per-database/per-user GUC settings, they can SIGHUP to make existing
>> backends take on those settings.
> I must disagree with this expectation.
> SIGHUP is restricted to re-reading configuations files. The
> per-database/per-user settings behave, in my mind, like SET commands
> executed immediately before the session loop starts.
I think you are allowing implementation simplicity to color your idea of
what the DBA would like to have happen.
> Imagine, a user edits his own
> convenience settings and the admin jumps in and edits some other unrelated
> setting in the same array -- all the sudden the user's new settings get
> activated.
That's a fair point, but I don't envision the superuser inserting values
into other people's per-user GUC settings as a routine matter. That
seems to me to be roughly comparable to Unix root setting a new password
for someone; it's not done lightly. When it is done, arbitrary delays
until the setting takes effect aren't considered acceptable. The same
goes for changes to postgresql.conf.
In any case, I think we're talking at cross purposes, as none of the
above seems to me to be an argument against the point I was making.
Let me try to state it more clearly. It seems to me that the existing
GucContext mechanism folds together three considerations that are
logically distinct, thereby making the implementation both confusing
and restrictive:
1. When is it possible/rational to change a given setting? Two examples: the implementation doesn't physically
supportchanging shared_buffers after shared memory initialization; while things would still work if different
backendswere running with different log_pid settings, it's not really sensible for them to do so. Useful concepts
here include "fixed at postmaster start", "fixed at backend start", and "changeable anytime", and "system-wide" vs
"per-backend". With the addition of per-DB GUC settings, "database-wide" enters the vocabulary too.
2. From a security/privilege point of view, who should have the right to change a given setting, and over what span of
application? Right now the only concepts here are "superuser" vs "ordinary user" and "current session" vs "whole
installation". Adding database-wide GUC settings at least introduces the new concepts of "database owner" and "within
database".
3. Where did a given setting of a variable come from? (wired-in default, postmaster command line, config file,
backendoptions, SET command, soon to be augmented by per-DB and per-user table entries)
My argument is that consideration 3 should only be used directly to
determine which source wins when there is a conflict between different
valid sources of a given value (where validity is determined by
considerations 1 and 2). By making that comparison explicit, rather
than trying to use processing order as a substitute for it, we can avoid
the problems the current implementation has with dynamic changes of the
configuration source data.
You seem to be arguing that the current implementation isn't broken
because we can define away the need to support dynamic changes of
configuration data, but I don't buy that; at least not overall, even
if there are good arguments for restricting changes of particular
variables in particular scenarios.
>> The whole subject of reacting to errors in the per-database/per-user GUC
>> settings needs more thought, too. Worst case scenario: superuser messes
>> up his own per-user GUC settings to the point that he can't log in
>> anymore.
> Yes, that is one of my concerns too, but I don't see me rewiring the whole
> exception handling in the backend because of this.
No, of course not; my point was to make sure that there is some kind of
recovery path if things get horribly messed up.
> If the database settings are still messed up, you still have template1.
> (You generally wouldn't put actual settings into template1. -- You might
> as well put them into postgresql.conf then.)
Right. Should we wire that restriction into the code as a safety measure?
postgresql.conf can be changed without a functioning database system,
but a blown setting for template1 might really mess you up.
> If template1 is blocked or the user's settings are messed up, you have a
> more fundamental problem, but it's not dissimilar to deleting all your
> users. We have an escape hatch for that: Start a standalone backend.
> (No options would be processed in that case.)
Okay, if it's agreed that standalone backends ignore these settings then
I think we can survive a screwup.
regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > I can't think of an acceptable solution so the best one may be to just > > remove the command-line args completely. > > I've been proposing a workable implementation in this very thread. Which is to track where the setting came from, right? I was thinking it wasn't workable because people were complaining about it. :-) -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Peter Eisentraut <peter_e@gmx.net> writes:
> I think it's desirable and fully intentional. How else would you override
> command-line args without restarting the server?
I say you wouldn't. If it's on the command line then it overrides
postgresql.conf for that run of the postmaster; full stop, no "if"s.
If you wanted it to be changeable within-run by postgresql.conf then you
should have edited postgresql.conf to start with.
As the implementation currently works, applying a setting via the
command line is entirely unsafe unless you then back it up with fixing
the value in postgresql.conf; otherwise an unrelated change to
postgresql.conf, perhaps much later, blows the command-line setting
out of the water. You might as well eliminate command-line settings
entirely, if they have to be accompanied by a matching change in
postgresql.conf in order to work reliably.
IMHO the only reason we haven't gotten squawks about this is that
(a) the majority of uses of command-line arguments are for options
that can't be changed after postmaster start anyway (-i, -p, -B, -N);
(b) since the factory-default postgresql.conf has all settings commented
out, it doesn't actually cause reversions to happen at SIGHUP.
If any significant number of people were actually being exposed to the
current behavior, we'd be getting complaints; lots of 'em. At the
moment it's only a corner case because of considerations (a) and (b),
so few people have had it happen to them.
> but in my mind, if you're using command-line arguments
> in permanent setups, you're not trying hard enough.
You're essentially saying that command-line arguments are only useful
for prototyping changes that you intend to make in postgresql.conf
immediately thereafter. Again, why have we got a command-line option
facility at all? Might as well make the change in postgresql.conf
to begin with, if that's the viewpoint.
regards, tom lane
Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> I've been proposing a workable implementation in this very thread.
> Which is to track where the setting came from, right? I was thinking it
> wasn't workable because people were complaining about it. :-)
Peter's complaining because he thinks the current behavior is OK.
AFAICT he isn't saying that my idea wouldn't make the behavior be
what you and I want, but that he doesn't like that behavior.
regards, tom lane
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> I can't think of an acceptable solution so the best one may be to just
> remove the command-line args completely.
I've been proposing a workable implementation in this very thread.
regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > >> I've been proposing a workable implementation in this very thread. > > > Which is to track where the setting came from, right? I was thinking it > > wasn't workable because people were complaining about it. :-) > > Peter's complaining because he thinks the current behavior is OK. > AFAICT he isn't saying that my idea wouldn't make the behavior be > what you and I want, but that he doesn't like that behavior. Getting back to propogating SIGHUP to the children, if I have issued a SET in my session, does a postmaster SIGHUP wipe that out, and even if it doesn't, what if I do a SHOW early in my session, see the setting is OK, then find later that is is changed, for example, the ONLY inheritance setting. I guess what I am saying is that I see session stability as a feature, rather than propogating changes to running children, which I think could cause more harm than good. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Getting back to propogating SIGHUP to the children, if I have issued a
> SET in my session, does a postmaster SIGHUP wipe that out,
At present, yes it does, if postgresql.conf contains a conflicting
setting. I think everyone agrees that that's wrong. Peter proposes
to fix it by disabling backend response to SIGHUP entirely. I propose
to fix it by changing the code to explicitly understand that SET
overrides postgresql.conf values, regardless of when postgresql.conf
is scanned.
> and even if
> it doesn't, what if I do a SHOW early in my session, see the setting is
> OK, then find later that is is changed, for example, the ONLY
> inheritance setting.
That's a powerful example but I think it's a red herring. Changing the
system-wide default for a semantically critical value is not something
that one would do lightly or without preparation. If your applications
assume a particular inheritance setting, they're not going to be any
less broken if they connect immediately after the postgresql.conf change
occurs than if they connect just beforehand. An app that depends on a
specific setting should SET that value, not just SHOW it ... and if it
has SET the value, then that is what it will get for the duration of
its run, under either my proposal or Peter's.
Similarly, under my proposal per-user or per-database GUC settings would
override postgresql.conf settings even after SIGHUP, because the code
would explicitly treat them as doing so. Under Peter's proposal the
only way to maintain that priority relationship is to disable backends
from responding to SIGHUP altogether.
I believe that disabling SIGHUP response in backends is throwing the
baby out with the bathwater. There are plenty of examples where you
absolutely do want backends to respond to configuration changes: think
about any of the debug-logging or statistics-gathering options. If you
are trying to crank up the debug/stats level in order to find out why
your system is misbehaving *now*, it isn't going to help you if the
existing backends steadfastly ignore your attempt to change the setting.
A possible compromise is to distinguish between options that change
application-visible semantics (like inheritance, datestyle, etc)
and those that do not (logging options, sort_mem, the planner cost
settings, etc). It would be reasonable to treat the former as
"frozen after backend start unless changed via SET". It is not
reasonable to put the same straitjacket on all system settings,
however. I believe that my proposal could easily be extended to
support such behavior. Peter's approach is all-or-nothing.
regards, tom lane
Tom Lane writes:
> Let me try to state it more clearly. It seems to me that the existing
> GucContext mechanism folds together three considerations that are
> logically distinct, thereby making the implementation both confusing
> and restrictive:
(Nice explanation -- I'm beginning to buy it ;-) )
> 1. When is it possible/rational to change a given setting? Two examples:
> the implementation doesn't physically support changing shared_buffers
> after shared memory initialization; while things would still work
> if different backends were running with different log_pid settings,
> it's not really sensible for them to do so. Useful concepts here
> include "fixed at postmaster start", "fixed at backend start", and
> "changeable anytime", and "system-wide" vs "per-backend". With the
> addition of per-DB GUC settings, "database-wide" enters the
> vocabulary too.
So basically we map PGC_POSTMASTER => "fixed at postmaster start",
PGC_BACKEND => "fixed at backend start", PGC_{SIGHUP,SUSET,USERSET} =>
"changeable anytime".
Obviously, PGC_POSTMASTER is always system-wide and PGC_BACKEND,
PGC_SUSET, and PGC_USERSET are always per-backend. For PGC_SIGHUP, we
currently have this comment in the code:
/** Hmm, the idea of the SIGHUP context is "ought to be global,* but can be changed after postmaster start". But
there's*nothing that prevents a crafty administrator from sending* SIGHUP signals to individual backends only.*/
In fact, the options that are PGC_SIGHUP seem to be relying on this
global theme heavily, so let's count PGC_SIGHUP into system-wide.
So basically, you have four useful combinations of these settings, which
correspond to PGC_POSTMASTER, PGC_BACKEND, PGC_SIGHUP, and
PGC_{SUSET,USERSET}.
As for database-wide, I'm not sure how to interpret that. Does that mean,
this parameter must be the same for all concurrent sessions on the same
database? Is that something we ought to have?
> 2. From a security/privilege point of view, who should have the right to
> change a given setting, and over what span of application? Right now
> the only concepts here are "superuser" vs "ordinary user" and
> "current session" vs "whole installation". Adding database-wide GUC
> settings at least introduces the new concepts of "database owner" and
> "within database".
Superuser vs ordinary user doesn't have a lot of options: ordinary users
only get a shot at a subset of the "change anytime" + "per-backend
settings" settings, which splits up PGC_SUSET and PGC_USERSET.
Current session vs whole installation comes with the territory. What you
can set at postmaster start necessarily affects the whole installation.
Same with SIGHUP (probably, see concerns above). The rest is restricted
to the running session. (Unless you want to propagate changes from one
session to another -- that seems a little too far out for me.)
I don't see "database owner" as an independent concept: if a database
owner is an otherwise ordinary user he only gets to change the
ordinary-user settings. You could invent a granularity between that, but
I'd like to see a pressing need first. That would get too complicated to
manage, I think.
So basically, I think the current five levels of PGC_* should cover 1 and
2 OK. Again, extensions are possible, but I don't see a need yet.
> 3. Where did a given setting of a variable come from? (wired-in
> default, postmaster command line, config file, backend options, SET
> command, soon to be augmented by per-DB and per-user table entries)
>
> My argument is that consideration 3 should only be used directly to
> determine which source wins when there is a conflict between different
> valid sources of a given value (where validity is determined by
> considerations 1 and 2).
OK, so what's the order:
1. run-time SET
2. per-user setting
3. per-database setting
4. backend options from client
5. postmaster command line
6. config file
7. wired-in default
Meaning, any setting if provided can only take effect if the previous
source of the setting had a higher number.
The given list represents the current state of affairs plus the
per-user/database settings inserted and the postmaster command line moved
from 6.5 to 5.
As for implementation, we could just insert an int field with these
numbers (or some macros) into the struct config_generic, and so the big
struct initializers in guc.c would all start out as 7. The
SetConfigOption code would simply need an extra comparison to check
whether it can proceed.
Another nice thing about this approach is that the current "bool
makeDefault" parameter, which decides whether to save the new setting as
default for RESET ALL, could be folded into "source > 1" (since
everything except SET establishes a session default).
> > If template1 is blocked or the user's settings are messed up, you have a
> > more fundamental problem, but it's not dissimilar to deleting all your
> > users. We have an escape hatch for that: Start a standalone backend.
> > (No options would be processed in that case.)
>
> Okay, if it's agreed that standalone backends ignore these settings then
> I think we can survive a screwup.
Maybe there should be an option to turn this on or off, depending on what
the default is. Not sure yet.
--
Peter Eisentraut peter_e@gmx.net
Peter Eisentraut <peter_e@gmx.net> writes:
> So basically, you have four useful combinations of these settings, which
> correspond to PGC_POSTMASTER, PGC_BACKEND, PGC_SIGHUP, and
> PGC_{SUSET,USERSET}.
Check.
> As for database-wide, I'm not sure how to interpret that. Does that mean,
> this parameter must be the same for all concurrent sessions on the same
> database? Is that something we ought to have?
Well, we haven't got it now, and I'm not sure whether there's anything
we'd really need it for. I was speculating that we might want it for
something to do with schema paths or some such ... but it's hard to see
why those couldn't be treated as per-backend. Certainly anything that
could be user-settable wouldn't be database-wide.
>> 2. From a security/privilege point of view, who should have the right to
>> change a given setting, and over what span of application?
> I don't see "database owner" as an independent concept:
Well, it is in terms of who gets to set the per-database GUC settings,
but I guess that doesn't directly relate to the privilege levels of the
individual settings.
> So basically, I think the current five levels of PGC_* should cover 1 and
> 2 OK. Again, extensions are possible, but I don't see a need yet.
Okay, we can live with that for now, until/unless we see a reason to
invent a level that has something to do with per-database settings.
> OK, so what's the order:
> 1. run-time SET
> 2. per-user setting
> 3. per-database setting
> 4. backend options from client
> 5. postmaster command line
> 6. config file
> 7. wired-in default
Not sure; shouldn't backend options from client supersede the settings
taken from tables? I'd be inclined to move up your #4 to between 1 and 2.
Otherwise this looks good.
> Meaning, any setting if provided can only take effect if the previous
> source of the setting had a higher number.
Same or higher number (to allow repeated SETs or config file changes).
> Another nice thing about this approach is that the current "bool
> makeDefault" parameter, which decides whether to save the new setting as
> default for RESET ALL, could be folded into "source > 1" (since
> everything except SET establishes a session default).
Right, I always felt that makeDefault was just a kluge to deal with one
of the deficiencies of the processing-order-sensitive implementation.
>> Okay, if it's agreed that standalone backends ignore these settings then
>> I think we can survive a screwup.
> Maybe there should be an option to turn this on or off, depending on what
> the default is. Not sure yet.
That makes a lot of sense. The standalone-backend environment is
already weird enough to make it mistake-prone; not loading your normal
settings would only make it more so. I'd vote for having standalone
backends load your normal settings by default, but offer a command-line
switch to suppress that behavior; people would only use the switch if
their settings were too broken to load.
regards, tom lane
test. Sorry. Tom Lane wrote: > Peter Eisentraut <peter_e@gmx.net> writes: > > I think it's desirable and fully intentional. How else would you override > > command-line args without restarting the server? > > I say you wouldn't. If it's on the command line then it overrides > postgresql.conf for that run of the postmaster; full stop, no "if"s. > If you wanted it to be changeable within-run by postgresql.conf then you > should have edited postgresql.conf to start with. > > As the implementation currently works, applying a setting via the > command line is entirely unsafe unless you then back it up with fixing > the value in postgresql.conf; otherwise an unrelated change to > postgresql.conf, perhaps much later, blows the command-line setting > out of the water. You might as well eliminate command-line settings > entirely, if they have to be accompanied by a matching change in > postgresql.conf in order to work reliably. > > IMHO the only reason we haven't gotten squawks about this is that > (a) the majority of uses of command-line arguments are for options > that can't be changed after postmaster start anyway (-i, -p, -B, -N); > (b) since the factory-default postgresql.conf has all settings commented > out, it doesn't actually cause reversions to happen at SIGHUP. > > If any significant number of people were actually being exposed to the > current behavior, we'd be getting complaints; lots of 'em. At the > moment it's only a corner case because of considerations (a) and (b), > so few people have had it happen to them. > > > but in my mind, if you're using command-line arguments > > in permanent setups, you're not trying hard enough. > > You're essentially saying that command-line arguments are only useful > for prototyping changes that you intend to make in postgresql.conf > immediately thereafter. Again, why have we got a command-line option > facility at all? Might as well make the change in postgresql.conf > to begin with, if that's the viewpoint. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026