Re: ALTER SYSTEM vs symlink

Robert, Tom,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > I would be willing to wager that a lot more people will hose their
> > systems by avoiding ALTER SYSTEM than will do so by using it.
>
> Well, mumble --- the subtext I thought I was hearing from Stephen was
> that he'd not give his DBAs write access on postgresql.conf either.
> But yes, pushing people away from ALTER SYSTEM and towards manual editing
> of postgresql.conf would be a foolish way of "improving safety".

This is all very environment specific. Changes to postgresql.conf, in
many environments, go through a serious of tests before being deployed
by a CM system. How do we accomplish the same kind of tests before
deploying a change with ALTER SYSTEM? We provide no mechanism to do
that today.

What the whole ALTER SYSTEM discussion lacks is an appreciation of the
good CM practices which exist in many environments. If I set up my CM
correctly, then I deploy new changes to the system via puppet or chef
only after those changes have been applied to the pre-production
environments which have identical system configurations. Today, a
helpful DBA may make changes in production that make later changes by
the CM to postgresql.conf completely ineffective, leading to problems
and possibly even failures.

Suggesting that we get rid of superuser accounts or minimize them
further than already done is ineffective because we simply don't have
the fine grained controls which are needed to allow that. I'm hopeful
that we'll get there and will continue to work towards it.

Thanks!

Stephen