Re: almost-super-user problems that we haven't fixed yet

On Tue, Jan 17, 2023 at 02:59:31PM -0500, Robert Haas wrote:
> On Tue, Jan 17, 2023 at 1:42 PM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>> If we create a new batch of reserved connections, only roles with
>> privileges of pg_use_reserved_connections would be able to connect if the
>> number of remaining slots is greater than superuser_reserved_connections
>> but less than or equal to superuser_reserved_connections +
>> reserved_connections. Only superusers would be able to connect if the
>> number of remaining slots is less than or equal to
>> superuser_reserved_connections. This helps avoid blocking new superuser
>> connections even if you've reserved some connections for non-superusers.
>
> This is precisely what I had in mind.

Great. Here is a first attempt at the patch.

> I think the documentation will need some careful wordsmithing,
> including adjustments to superuser_reserved_connections. We want to
> recast superuser_reserved_connections as a final reserve to be touched
> after even reserved_connections has been exhausted.

I tried to do this, but there is probably still room for improvement,
especially for the parts that discuss the relationship between
max_connections, superuser_reserved_connections, and reserved_connections.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com