Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 5:17 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:

> On Thu, Mar 28, 2024 at 12:43:29AM +0100, Jelte Fennema-Nio wrote:
> > + <varlistentry id="guc-allow-alter-system"
> xreflabel="allow_alter_system">
> > + <term><varname>allow_alter_system</varname> (<type>boolean</type>)
> > + <indexterm>
> > + <primary><varname>allow_alter_system</varname> configuration
> parameter</primary>
> > + </indexterm>
> > + </term>
> > + <listitem>
> > + <para>
> > + When <literal>allow_alter_system</literal> is set to
> > + <literal>off</literal>, an error is returned if the
> <command>ALTER
> > + SYSTEM</command> command is used. This parameter can only be
> set in
>
> "command is used." -> "command is issued." ?
>

"command is executed" seems even better. I'd take used over issued.

> > + the <filename>postgresql.conf</filename> file or on the server
> command
> > + line. The default value is <literal>on</literal>.
> > + </para>
> > +
> > + <para>
> > + Note that this setting cannot be regarded as a security
> feature. It
>
> "setting cannot be regarded" -> "setting should not be regarded"
>

"setting must not be regarded" is the correct option here. Stronger than
should; we are unable to control whether someone can/does regard it
differently.

> > +
> > + <para>
> > + Turning this setting off is intended for environments where the
> > + configuration of <productname>PostgreSQL</productname> is
> managed by
> > + some outside mechanism.
> > + In such environments, a well intenioned superuser user might
> > + <emphasis>mistakenly</emphasis> use <command>ALTER
> SYSTEM</command>
> > + to change the configuration instead of using the outside
> mechanism.
> > + This might even appear to update the configuration as intended,
> but
>
> "This might even appear to update" -> "This might temporarily update"
>

I strongly prefer temporarily over may/might/could.

>
> > + then might be discarded at some point in the future when that
> outside
>
> "that outside" -> "the outside"
>

Feel like "external" is a more context appropriate term here than "outside".

External also has precedent.
https://www.postgresql.org/docs/current/config-setting.html#CONFIG-INCLUDES
"External tools may also modify postgresql.auto.conf. It is not recommended
to do this while the server is running,"

That suggests using "external tools" instead of "outside mechanisms"

This section is also the main entry point for users into the configuration
subsystem and hasn't been updated to reflect this new feature. That seems
like an oversight that needs to be corrected.

> + </para>
> > +
> > + <para>
> > + This parameter only controls the use of <command>ALTER
> SYSTEM</command>.
> > + The settings stored in
> <filename>postgresql.auto.conf</filename> always
>
> "always" -> "still"
>

Neither qualifier is needed, nor does one seem clearly better than the
other. Always is true so the weaker "still" seems like the worse choice.

The following is a complete and clear sentence.

The settings stored in postgresql.auto.conf take effect even if
allow_alter_system is set to off.

> Should this paragraph be moved after or as part of the paragraph about
> modifying postgresql.auto.conf?
>
>
I like it by itself.

David J.