Re: Unsafe GUCs and ALTER SYSTEM WAS: Re: ALTER SYSTEM SET

From: Josh Berkus <josh(at)agliodbs(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Greg Stark <stark(at)mit(dot)edu>, Andres Freund <andres(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Amit Kapila <amit(dot)kapila(at)huawei(dot)com>, Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>, pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: Unsafe GUCs and ALTER SYSTEM WAS: Re: ALTER SYSTEM SET
Date: 2013-08-05 18:36:21
Message-ID: 51FFF0A5.4030005@agliodbs.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 08/05/2013 11:28 AM, Stephen Frost wrote:
> * Josh Berkus (josh(at)agliodbs(dot)com) wrote:
>> Nope. ALTER SYSTEM, from my POV, is mainly for folks who *don't* use
>> Puppet/Chef/whatever.
>
> Ok, that's fine, but let's try to avoid making life difficult for those
> who *do* use puppet/chef/whatever. This capability runs a very high
> risk of that by allowing a DBA who *isn't* a sysadmin to go modifying
> things that depend on external-to-PG factors.

See thread "Disabling ALTER SYSTEM SET". In short, I agree with you.

>
>> Here's where I see ALTER SYSTEM being useful:
>>
>> * invididually managed servers with out centralized management (i.e. one
>> DBA, one server).
>> * developer machines (i.e. laptops and vms)
>
> The above strikes me as being already dealt with through pgAdmin and the
> 'admin pack', if the user wants a GUI to use for modifying these
> parameters (which seems like what they'd primairly get out of ALTER
> SYSTEM SET- pgAdmin, or whatever $gui wouldn't have to depend on the
> admin pack).

Except that forcing developers to install the admin pack and pgadmin to
get this functionality is a high barrier to entry exactly where we don't
want one.

>
>> * automated testing of tweaking performance parameters
>
> This sounds like you'd need tooling around it to make it work anyway,
> which could probably handle modifying a text file, but even if not,
> these paremeters may be on the 'safe' list.

Well, frankly, it's the main reason why *I* want ALTER SYSTEM SET. It
makes my job writing automated testing scripts easier. Certainly it was
possible before, but there's value in "easier".

And that's the reason I don't want you to take away the ability to
modify shared_buffers et. al. ;-)

On 08/05/2013 11:30 AM, Stefan Kaltenbrunner wrote:> Nevertheless my
main point is that people _WILL_ use this as a simple
> convinience tool not fully understanding all the complex implications,
> and in a few years from now running people with superuser by default
> (because people will create "cool little tools say to change stuff from
> my tray or using $IOS app" that have a little small comment "make sure
> to create the user "WITH SUPERUSER" and people will follow like lemmings.

Most of our users not on Heroku are running with superuser as the app
user now. Like, 95% of them based on my personal experience (because
our object permissions management sucks). In that this feature will
further discourage people from having a separate application user,
there's some argument. However, it's really an argument for not having
ALTER SYSTEM SET *at all* rather than restricting it to "safe" GUCs, no?

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2013-08-05 18:37:34 Re: HeapTupleSatisfiesDirty fails to test HEAP_XMAX_IS_LOCKED_ONLY for TransactionIdIsInProgress(...)
Previous Message Joshua D. Drake 2013-08-05 18:32:45 don't own lock of type?