| From: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, Greg Stark <stark(at)mit(dot)edu>, Andres Freund <andres(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Amit Kapila <amit(dot)kapila(at)huawei(dot)com>, Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>, pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: Unsafe GUCs and ALTER SYSTEM WAS: Re: ALTER SYSTEM SET |
| Date: | 2013-08-05 18:30:11 |
| Message-ID: | 51FFEF33.4040702@kaltenbrunner.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 08/05/2013 08:21 PM, Josh Berkus wrote:
> On 08/05/2013 11:14 AM, Stefan Kaltenbrunner wrote:
>> * in a few years from now people will just use superuser over the
>> network for almost all stuff "because its easy and I can click around in
>> $gui", having potential "unsafe" operations available over the network
>> will in turn cause a lot of actual downtime (in a lot of cases the
>> reason why people want remote management is because the don't have
>> physical/shell access - so if they break stuff they cannot fix)
>
> See thread "Disabling ALTER SYSTEM SET".
>
>> * for classic IaaS/SaaS/DBaaS the ALTER SYSTEM seems to be mostly
>> useless in the current form - because most of them will not or cannot
>> hand out flat out superuser (like if you run a managed service you might
>> want customers to be able to tweak some stuff but say not
>> archive/pitr/replication stuff because the responsibility for backups is
>> with the hosting company)
>
> 100% in agreement. If someone thought we were serving DBAAS with this,
> they haven't paid attention to the patch.
>
> However, there are other places where ALTER SYSTEM SET will be valuable.
> For example, for anyone who wants to implement an autotuning utility.
> For example, I'm writing a network utility which checks bgwriter stats
> and tries adjusting settings over the network to improve checkpoint
> issues. Not having to SSH configuration files into place (and make sure
> they're not overridden by other configuration files) would make writing
> that script a *lot* easier. Same thing with automated performance testing.
seems like an excessively narrow usecase to me - people doing that kind
of specific testing can easily do automation over ssh, and those are
very few vs. having to maintain a fairly complex piece of code in
postgresql core.
Nevertheless my main point is that people _WILL_ use this as a simple
convinience tool not fully understanding all the complex implications,
and in a few years from now running people with superuser by default
(because people will create "cool little tools say to change stuff from
my tray or using $IOS app" that have a little small comment "make sure
to create the user "WITH SUPERUSER" and people will follow like lemmings.
Stefan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2013-08-05 18:32:27 | Re: comment for "fast promote" |
| Previous Message | Stephen Frost | 2013-08-05 18:28:44 | Re: Unsafe GUCs and ALTER SYSTEM WAS: Re: ALTER SYSTEM SET |