Robert, Tom, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Robert Haas <robertmh...@gmail.com> writes: > > I would be willing to wager that a lot more people will hose their > > systems by avoiding ALTER SYSTEM than will do so by using it. > > Well, mumble --- the subtext I thought I was hearing from Stephen was > that he'd not give his DBAs write access on postgresql.conf either. > But yes, pushing people away from ALTER SYSTEM and towards manual editing > of postgresql.conf would be a foolish way of "improving safety".
This is all very environment specific. Changes to postgresql.conf, in many environments, go through a serious of tests before being deployed by a CM system. How do we accomplish the same kind of tests before deploying a change with ALTER SYSTEM? We provide no mechanism to do that today. What the whole ALTER SYSTEM discussion lacks is an appreciation of the good CM practices which exist in many environments. If I set up my CM correctly, then I deploy new changes to the system via puppet or chef only after those changes have been applied to the pre-production environments which have identical system configurations. Today, a helpful DBA may make changes in production that make later changes by the CM to postgresql.conf completely ineffective, leading to problems and possibly even failures. Suggesting that we get rid of superuser accounts or minimize them further than already done is ineffective because we simply don't have the fine grained controls which are needed to allow that. I'm hopeful that we'll get there and will continue to work towards it. Thanks! Stephen
Description: Digital signature