Re: ALTER SYSTEM SET command to change postgresql.conf parameters (RE: Proposal for Allow postgresql.conf values to be changed via SQL [review])

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Andres Freund <andres(at)2ndquadrant(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>, Josh Berkus <josh(at)agliodbs(dot)com>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: ALTER SYSTEM SET command to change postgresql.conf parameters (RE: Proposal for Allow postgresql.conf values to be changed via SQL [review])
Date: 2013-08-30 00:07:23
Message-ID: CAOuzzgpYF0xz4mzeJtQFi_yMJcg1uNU=URg3tF5yqtWW2zp-5w@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thursday, August 29, 2013, Andres Freund wrote:
>
> To quote Robert two mails up:
>
> > Huh? The problem with adminpack is that it doesn't let you modify
> > individual configuration settings. All you can do is rewrite an
> > entire file.

That's clearly fixable.

> I guess somebody could write a specialized client that
> > just uses that infrastructure to rewrite postgresql.conf. For all I
> > know, someone has. Even if not, I don't think that you can use that
> > to prove that people don't care about this feature. If nobody cares,
> > why are there 400 emails on this topic?!

Having 400 emails about it means it's contentious. That's quite different
from having a large demand. It does speak to the author's persistence as
well, but that shouldn't be a surprise.

> Also, doing it the adminpack way lacks even the most basic validity
> checks. And that's not really changeable.

I don't see why..? Admin pack could certainly be modified to take a
parameter and do appropriate verification before locking an object and
rewriting the file. It's what we're being expected to do in core, after
all. Indeed, we can't even do validity checks on all the options, which is
the crux of what I'm concerned about.

> Presumably one major reason why we don't have other|good GUIs is that
> it's ridicuously hard to make them work to an interesting extent with
> the current infrastructure.

Yet no one has tried to improve admin pack?

> If they give out superuser access it has to be to people who can follow
> rules. After all they don't DROP DATABASE; DELETE FROM pg_class; alter
> passwords; use adminpack (changing postgresql.conf..); ... All of which
> they can do.
>

This completely misses, or perhaps just ignores, the point. Disallowing
super user access can be difficult because there's a lot of *normal* DBA
activities which can't be easily done without it (like changing table
ownership or similar). The "createrole" option definitely improved things
but we aren't there yet. It's certainly easy to simply not install the
adminpack. The other concerns above are strawmen because they attack a
malicious DBA. I'm not talking about malicious DBAs but rather a generally
knowledgable DBA who changed shared_buffers up too high and then leaves on
vacation, while the OPs guys need to do a database restart for whatever
reason and then discover it doesn't start.

I bring up these concerns because I have environments where I can see
exactly this happening and I have a hard time believing that I'm somehow
alone.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jim Nasby 2013-08-30 00:12:07 Re: dynamic shared memory
Previous Message didier 2013-08-30 00:05:13 Re: Properly initialize negative/empty cache entries in relfilenodemap