Re: Read-only connection mode for AI workflows.

On 17.03.26 15:05, Andrei Lepikhov wrote:
> On 17/3/26 14:52, Bruce Momjian wrote:
>> On Tue, Mar 17, 2026 at 11:04:25AM +0100, Andrei Lepikhov wrote:
>>> On 16/3/26 22:25, Bruce Momjian wrote:
>>>> On Mon, Mar 16, 2026 at 10:01:22PM +0100, Andrei Lepikhov wrote:
>>>>>> I do think the underlying problem of safely exposing databases to
>>>>>> automated agents is becoming increasingly common, so it seems like a
>>>>>> useful area to explore.
>>>>
>>>> I agree the need a read-only sessions is going to get more urgent with
>>>> MCP.  Why doesn't the community code have a read-only session option
>>>> that can't be changed?
>>>
>>> The pg_readonly project aims to answer this question: if it is easy and
>>> cheap to implement as an extension, why do we need to touch the core?
>>
>> I think it is a fundamental feature the database should have by default.
>>
>
> Why wasn’t read-only mode set up like this from the start? - I haven’t
> seen any other DBMSs, aside from SQLite, offer this kind of guarantee.
> If we want to move forward, it makes sense to use a session parameter
> and add backend code to prevent violations.
> Postgres architecture looks well-suited for this feature. However, the
> request is to block all backend changes, not just the usual XactReadOnly
> limitations, but also things like vacuum, etc (temporary tables?).
> Should we also consider cluster-wide restrictions?

Read-only mode is a transaction property, not an access control system.

If you want to control who can read what, there is an access control
system for that. If it's insufficient, let's enhance it. But let's
keep these things separate.