Thread: Reserving GUC prefixes from a non-preloaded DB extension is not always enforced

Hi all,

I am an extension developer. I use `MarkGUCPrefixReserved` to reserve GUC prefixes, which my extension uses to help avoid accidentally misspelled config-file entries.

However, since the reservation happens in `_PG_init()` and `_PG_init()` is not called until the first use of an API exposed by my extension, misspelled config-file entries that get executed before the extension is loaded will not throw an error.

SET lantern.haha = 1; -- succeeds, since lantern extension is not loaded

SELECT ARRAY[1] <-> ARRAY[1]; -- uses a lantern API, so extension binary is loaded
-- The line above does warn about removing the configuration parameter above
-- WARNING:  invalid configuration parameter name "lantern.haha", removing it
-- DETAIL:  "lantern" is now a reserved prefix.

 SET lantern.haha = 1; -- now this throws an error
-- ERROR:  invalid configuration parameter name "lantern.haha"
-- DETAIL:  "lantern" is a reserved prefix.

I think, ideally, the last error should be thrown in the first SET execution as well.

I'd expect GUC variables reserved by an extension to live more permanently in Postgres catalogs (e.g., in pg_settings). 
So, even when the extension binary is not loaded, Postgres would know which prefixes are reserved and which GUC settings must be allowed (similar to how Postgres knows in pg_extension which extensions are enabled, even when the corresponding extension binary has not been loaded).

1. Would you consider the proposed behavior an improvement?
2. If so, do you have thoughts on how to implement it?

Thanks!
Narek Galstyan
--

Narek Galstyan <narekg@berkeley.edu> writes:
> I am an extension developer. I use `MarkGUCPrefixReserved` to reserve GUC
> prefixes, which my extension uses to help avoid accidentally misspelled
> config-file entries.

> However, since the reservation happens in `_PG_init()` and `_PG_init()` is
> not called until the first use of an API exposed by my extension,
> misspelled config-file entries that get executed before the extension is
> loaded will not throw an error.

No, but a warning will be reported when the extension does get loaded.

This seems in line to me with the general behavior of
extension-defined GUCs: we cannot know anything about whether a value
stored in the config file is sane until we have loaded the extension
that defines the GUC's data type, allowed range, etc.

> I'd expect GUC variables reserved by an extension to live more permanently
> in Postgres catalogs (e.g., in pg_settings).

How would they get there?  What happens when the extension goes away?
How would such an approach emulate C-code-enforced restrictions,
that is checks made by a GUC check_hook?  What happens if different
databases in an installation have inconsistent catalog entries for
a GUC?  (You could eliminate such inconsistency by storing the data
in a shared catalog, perhaps, but that brings some other concerns.)

I don't really see the value for work expended here.

            regards, tom lane



On Thu, 2024-06-13 at 12:26 -0700, Narek Galstyan wrote:
> I am an extension developer. I use `MarkGUCPrefixReserved` to reserve GUC prefixes,
> which my extension uses to help avoid accidentally misspelled config-file entries.
>
> However, since the reservation happens in `_PG_init()` and `_PG_init()` is not
> called until the first use of an API exposed by my extension, misspelled config-file
> entries that get executed before the extension is loaded will not throw an error.
>
> I'd expect GUC variables reserved by an extension to live more permanently in
> Postgres catalogs (e.g., in pg_settings). 
> So, even when the extension binary is not loaded, Postgres would know which prefixes
> are reserved and which GUC settings must be allowed (similar to how Postgres knows
> in pg_extension which extensions are enabled, even when the corresponding extension
> binary has not been loaded).
>
> > 1. Would you consider the proposed behavior an improvement?

Not really.

If I wanted to avoid that problem, I'd put the extension in "shared_preload_libraries",
so that _PG_init() is executed when the server starts.

Yours,
Laurenz Albe