Re: ALTER SYSTEM vs symlink

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> Well, mumble --- the subtext I thought I was hearing from Stephen was
>> that he'd not give his DBAs write access on postgresql.conf either.
>> But yes, pushing people away from ALTER SYSTEM and towards manual editing
>> of postgresql.conf would be a foolish way of "improving safety".

> This is all very environment specific. Changes to postgresql.conf, in
> many environments, go through a serious of tests before being deployed
> by a CM system. How do we accomplish the same kind of tests before
> deploying a change with ALTER SYSTEM? We provide no mechanism to do
> that today.

Sure, so if you have such a process, you tell your DBAs not to use ALTER
SYSTEM. End of problem --- or if it isn't end of problem, you have HR
issues that the database cannot fix for you.

The core point here is that if you're handing people superuser and
expecting that they can't possibly circumvent any training-wheel-type
restrictions you then put on that, you're wrong. In the end you'd
better trust that your DBAs know the process they're supposed to follow
and follow it.

It may be that, at some point in the future, we'll have this sliced and
diced fine enough that it's safe to allow some part of ALTER SYSTEM
functionality to be accessible to people you don't want to give full
superuser to. But there's no such thing as "partial superuser", and
personally I believe that it would be a tremendous waste of time to
try to build such a feature.

regards, tom lane