Re: Unsafe GUCs and ALTER SYSTEM WAS: Re: ALTER SYSTEM SET

On Tue, Aug 6, 2013 at 09:24:47PM -0400, Greg Smith wrote:
> # ALTER SYSTEM SET shared_buffers = ‘8GB’ FORCE;
> NOTICE: Changing shared_buffers only takes effect after a server restart.
> ALTER SYSTEM
>
> Will bad examples pop up in the Internet that just use FORCE all the
> time? Sure they will, and people will cut and paste them without
> paying attention. I don't see why that possibility has to block
> this feature from being adopted though. That line of thinking leads
> toward removing trust authentication, because that's similarly
> abused with cut and paste tutorials.

We already have six levels of GUC settings:

postgresql.conf
user
database
session
function
subtransaction

If we add ALTER SYSTEM SET and config.d, we would then have eight.
ALTER SYSTEM SET seems to add an entirely new set of behaviors and
complexity. Is that really what we want?

If we do this, perhaps we should unconditionally just print the file
name they have to delete to undo the operation in case the server
doesn't start; I am unclear we can clearly identify all the GUC
settings that could cause a server not to start. Also, I think we need
a SHOW SYSTEM command so users can see their settings via SQL.

FYI, ALTER SYSTEM SET is hitting the same problems we would have if
pg_hba.conf were set in SQL and in flat files.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +