On Wed, Nov 7, 2018 at 11:14 AM Tom Lane wrote:
> If people are okay with having rolconnlimit act
> differently from datconnlimit in this respect, then I'll withdraw
> my objection.
Since the rolconnlimit specifically and precisely targets the
superuser in a narrow manner it makes sense on its fa
Tomas Vondra wrote:
> On 11/7/18 5:19 PM, Tom Lane wrote:
> > I think this proposal boils down to asking for support for an
> > incredibly bad application design, and equipping every database with
> > an additional foot-gun in order to have that.
>
> I'm not sure about that. IMHO being able to res
On 11/7/18 10:49 AM, Robert Haas wrote:
On Wed, Nov 7, 2018 at 1:14 PM Tom Lane wrote:
I think that having superusers be immune to datconnlimit is actually
the right thing; for one reason, because datconnlimit can be set by
database owners, who should not be able to lock superusers out of
their
On Wed, Nov 7, 2018 at 1:14 PM Tom Lane wrote:
> I think that having superusers be immune to datconnlimit is actually
> the right thing; for one reason, because datconnlimit can be set by
> database owners, who should not be able to lock superusers out of
> their database.
Yeah, that's a reasonab
"David G. Johnston" writes:
> On the accept side, which I'm leaning toward, is that superuser is
> already constrained by max_connections and, in addition, the
> implications of setting this value are straight-forward and it obvious
> requires intent on the part of the user. Its not a "foot-gun"
On Wed, Nov 7, 2018 at 9:22 AM Robert Haas wrote:
>
> On Wed, Nov 7, 2018 at 11:19 AM Tom Lane wrote:
> > I'm not buying the argument that there are realistic use-cases where
> > you need a connection limit on a superuser role, either. Whatever
> > you're doing that might merit a connection limi
On 11/7/18 5:19 PM, Tom Lane wrote:
>
> ...
>
> I think this proposal boils down to asking for support for an
> incredibly bad application design, and equipping every database with
> an additional foot-gun in order to have that.
>
I'm not sure about that. IMHO being able to restrict the number
On Wed, Nov 7, 2018 at 11:19 AM Tom Lane wrote:
> > Like what?
>
> alter user postgres connection limit 0;
>
> ... oops ...
Sure. If you have no other superusers that's going to be sad.
Hopefully single-user mode lets you recover, though. And, anyway,
there are plenty of ways for a superuser to
Robert Haas writes:
> On Wed, Nov 7, 2018 at 9:45 AM Tom Lane wrote:
>> I'd vote against. I think there are way more cases where this would
>> create a problem than where it would fix one.
> Like what?
alter user postgres connection limit 0;
... oops ...
I'm not buying the argument that ther
On Wed, Nov 7, 2018 at 9:45 AM Tom Lane wrote:
> Robert Haas writes:
> > I don't think we should consider something that prevents you from
> > connecting to the database to be in the same category as something
> > that limits what you can do once you are connected. IOW, +1 to the
> > original pr
What about LOGIN option? It is a similar access restriction, but it works for
superuser.
=# create role nologin_role superuser nologin unencrypted password '1234';
CREATE ROLE
Time: 1.230 ms
~ $ psql postgres -U nologin_role -h localhost
Password for user nologin_role:
psql: FATAL: role "nologin
Robert Haas writes:
> I don't think we should consider something that prevents you from
> connecting to the database to be in the same category as something
> that limits what you can do once you are connected. IOW, +1 to the
> original proposal from me.
I'd vote against. I think there are way
On Wed, Nov 7, 2018 at 7:20 AM Andrey Borodin wrote:
> >These clauses determine whether the new role is a “superuser”, who can
> >override all access restrictions within the database.
> Do we consider connection limit "access restriction"? Superuser can avoid
> setting his connection limit if he
Hi!
> 7 нояб. 2018 г., в 11:48, Evgeniy Efimkin написал(а):
> It would be nice if ALTER USER ... WITH CONNECTION LIMIT will work for
> superuser. It would protect against connection leaks. e.g. we have two
> superusers, one of them reached connection limit but not max_connections, the
> other
Connection limit doesn't work for superuser
Hi hackers!
It would be nice if ALTER USER ... WITH CONNECTION LIMIT will work for
superuser. It would protect against connection leaks. e.g. we have two
superusers, one of them reached connection limit but not max_connections, the
other is
15 matches
Mail list logo
