From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Greg Nancarrow <gregn4422(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Konstantin Knizhnik <k(dot)knizhnik(at)postgrespro(dot)ru>, vignesh C <vignesh21(at)gmail(dot)com>, Ivan Panchenko <wao(at)mail(dot)ru>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com> |
Subject: | Re: On login trigger: take three |
Date: | 2021-09-08 14:02:36 |
Message-ID: | CAFj8pRAwFnPQSOiP9b+rW_Mj5yE8sM-keYB_09DTtZz-8MyvBA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi
> + {"enable_client_connection_trigger", PGC_SU_BACKEND,
> DEVELOPER_OPTIONS,
> + gettext_noop("Enables the client_connection event
> trigger."),
> + gettext_noop("In case of errors in the ON
> client_connection EVENT TRIGGER procedure, "
> ..and..
> + /*
> + * Try to ignore error for superuser to make it possible to login
> even in case of errors
> + * during trigger execution
> + */
> + if (!is_superuser)
> + PG_RE_THROW();
> This patch adds two ways for superusers to bypass this event trigger in
> case of
> it being faulty, but for every other event trigger we've documented to
> restart
> in single-user mode and fixing it there. Why does this need to be
> different?
> This clearly has a bigger chance of being a footgun but I don't see that
> as a
> reason to add a GUC and a bypass that other footguns lack.
>
>
>
In the time when event triggers were introduced, managed services were not
too widely used like now. When we discussed this feature we thought about
environments when users have no superuser rights and have no possibility to
go to single mode.
Personally, I prefer to introduce some bypassing for event triggers instead
of removing bypass from login triggers.
Regards
Pavel
From | Date | Subject | |
---|---|---|---|
Next Message | Jaime Casanova | 2021-09-08 14:07:11 | Re: use AV worker items infrastructure for GIN pending list's cleanup |
Previous Message | Bharath Rupireddy | 2021-09-08 13:48:08 | pg_walinspect - a new extension to get raw WAL data and WAL stats |