Stephen Frost <sfr...@snowman.net> writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> Well, mumble --- the subtext I thought I was hearing from Stephen was >> that he'd not give his DBAs write access on postgresql.conf either. >> But yes, pushing people away from ALTER SYSTEM and towards manual editing >> of postgresql.conf would be a foolish way of "improving safety".
> This is all very environment specific. Changes to postgresql.conf, in > many environments, go through a serious of tests before being deployed > by a CM system. How do we accomplish the same kind of tests before > deploying a change with ALTER SYSTEM? We provide no mechanism to do > that today. Sure, so if you have such a process, you tell your DBAs not to use ALTER SYSTEM. End of problem --- or if it isn't end of problem, you have HR issues that the database cannot fix for you. The core point here is that if you're handing people superuser and expecting that they can't possibly circumvent any training-wheel-type restrictions you then put on that, you're wrong. In the end you'd better trust that your DBAs know the process they're supposed to follow and follow it. It may be that, at some point in the future, we'll have this sliced and diced fine enough that it's safe to allow some part of ALTER SYSTEM functionality to be accessible to people you don't want to give full superuser to. But there's no such thing as "partial superuser", and personally I believe that it would be a tremendous waste of time to try to build such a feature. regards, tom lane -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers