On Wed, Nov 7, 2018 at 11:14 AM Tom Lane wrote:
> If people are okay with having rolconnlimit act
> differently from datconnlimit in this respect, then I'll withdraw
> my objection.
Since the rolconnlimit specifically and precisely targets the
superuser in a narrow manner it makes sense on its fa
Tomas Vondra wrote:
> On 11/7/18 5:19 PM, Tom Lane wrote:
> > I think this proposal boils down to asking for support for an
> > incredibly bad application design, and equipping every database with
> > an additional foot-gun in order to have that.
>
> I'm not sure about that. IMHO being able to res
On 11/7/18 10:49 AM, Robert Haas wrote:
On Wed, Nov 7, 2018 at 1:14 PM Tom Lane wrote:
I think that having superusers be immune to datconnlimit is actually
the right thing; for one reason, because datconnlimit can be set by
database owners, who should not be able to lock superusers out of
their
On Wed, Nov 7, 2018 at 1:14 PM Tom Lane wrote:
> I think that having superusers be immune to datconnlimit is actually
> the right thing; for one reason, because datconnlimit can be set by
> database owners, who should not be able to lock superusers out of
> their database.
Yeah, that's a reasonab
"David G. Johnston" writes:
> On the accept side, which I'm leaning toward, is that superuser is
> already constrained by max_connections and, in addition, the
> implications of setting this value are straight-forward and it obvious
> requires intent on the part of the user. Its not a "foot-gun"
On Wed, Nov 7, 2018 at 9:22 AM Robert Haas wrote:
>
> On Wed, Nov 7, 2018 at 11:19 AM Tom Lane wrote:
> > I'm not buying the argument that there are realistic use-cases where
> > you need a connection limit on a superuser role, either. Whatever
> > you're doing that might merit a connection limi
On 11/7/18 5:19 PM, Tom Lane wrote:
>
> ...
>
> I think this proposal boils down to asking for support for an
> incredibly bad application design, and equipping every database with
> an additional foot-gun in order to have that.
>
I'm not sure about that. IMHO being able to restrict the number
On Wed, Nov 7, 2018 at 11:19 AM Tom Lane wrote:
> > Like what?
>
> alter user postgres connection limit 0;
>
> ... oops ...
Sure. If you have no other superusers that's going to be sad.
Hopefully single-user mode lets you recover, though. And, anyway,
there are plenty of ways for a superuser to
Robert Haas writes:
> On Wed, Nov 7, 2018 at 9:45 AM Tom Lane wrote:
>> I'd vote against. I think there are way more cases where this would
>> create a problem than where it would fix one.
> Like what?
alter user postgres connection limit 0;
... oops ...
I'm not buying the argument that ther
On Wed, Nov 7, 2018 at 9:45 AM Tom Lane wrote:
> Robert Haas writes:
> > I don't think we should consider something that prevents you from
> > connecting to the database to be in the same category as something
> > that limits what you can do once you are connected. IOW, +1 to the
> > original pr
What about LOGIN option? It is a similar access restriction, but it works for
superuser.
=# create role nologin_role superuser nologin unencrypted password '1234';
CREATE ROLE
Time: 1.230 ms
~ $ psql postgres -U nologin_role -h localhost
Password for user nologin_role:
psql: FATAL: role "nologin
Robert Haas writes:
> I don't think we should consider something that prevents you from
> connecting to the database to be in the same category as something
> that limits what you can do once you are connected. IOW, +1 to the
> original proposal from me.
I'd vote against. I think there are way
On Wed, Nov 7, 2018 at 7:20 AM Andrey Borodin wrote:
> >These clauses determine whether the new role is a “superuser”, who can
> >override all access restrictions within the database.
> Do we consider connection limit "access restriction"? Superuser can avoid
> setting his connection limit if he
Hi!
> 7 нояб. 2018 г., в 11:48, Evgeniy Efimkin написал(а):
> It would be nice if ALTER USER ... WITH CONNECTION LIMIT will work for
> superuser. It would protect against connection leaks. e.g. we have two
> superusers, one of them reached connection limit but not max_connections, the
> other
14 matches
Mail list logo
