| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: unite recovery.conf and postgresql.conf |
| Date: | 2011-09-20 17:30:28 |
| Message-ID: | 10748.1316539828@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> First, if we're going to change behavior, I assert that we should stop
> calling stuff "recovery" and either call it "replica" or "standby". Our
> use of the word "recovery" confuses users; it is historical in nature
> and requires an understanding of PostgreSQL internals to know why it's
> called that. It's also inconsistent with our use of the word "standby"
> everywhere else.
Are we all talking about the same thing? In my mind recovery.conf is
for configuring a point-in-time archive recovery run. It's got nothing
to do with either replication or standbys. Perhaps part of our problem
here is overloading that case with standby behavior.
> Second, I haven't seen a response to this:
> Do we want a trigger file to enable recovery, or one to *disable*
> recovery? Or both?
As far as the PITR scenario is concerned, only the former can possibly
make any sense; the latter would be downright dangerous.
>> There is a potential security hole if people hardcode passwords into
>> primary_conninfo. As long as we document not to do that, we're OK.
> Yeah, I'd almost be inclined to actively prohibit this, but that would
> draw user complaints. We'll have to be satisfied with a doc plus a comment.
I think that marking the GUC as "only readable by superuser" is a
sufficient fix.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2011-09-20 17:40:11 | Re: unite recovery.conf and postgresql.conf |
| Previous Message | Tom Lane | 2011-09-20 17:25:59 | Re: File not found error on creating collation |