Re: On login trigger: take three
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Andres Freund <andres@anarazel.de>
Cc: a.sokolov@postgrespro.ru,
Tom Lane <tgl@sss.pgh.pa.us>,
Greg Nancarrow <gregn4422@gmail.com>,
Ivan Panchenko <wao@mail.ru>,
Teodor Sigaev <teodor@sigaev.ru>,
Ibrar Ahmed <ibrar.ahmad@gmail.com>,
vignesh C <vignesh21@gmail.com>,
Pavel Stehule <pavel.stehule@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Amit Kapila <amit.kapila16@gmail.com>,
Masahiko Sawada <sawada.mshk@gmail.com>
Date: 2022-03-28T21:36:39Z
Lists: pgsql-hackers
> On 28 Mar 2022, at 23:31, Andres Freund <andres@anarazel.de> wrote: > > Hi, > > On 2022-03-28 23:27:56 +0200, Daniel Gustafsson wrote: >>> On 28 Mar 2022, at 19:10, Andres Freund <andres@anarazel.de> wrote: >>> On 2022-03-28 15:57:37 +0300, a.sokolov@postgrespro.ru wrote: >> >>>> + data initialization. It is vital that any event trigger using the >>>> + <literal>login</literal> event checks whether or not the database is in >>>> + recovery. >>>> >>>> Does any trigger really have to contain a pg_is_in_recovery() call? >>> >>> Not *any* trigger, just any trigger that writes. >> >> Thats correct, the docs should be updated with something like the below I >> reckon. >> >> It is vital that event trigger using the <literal>login</literal> event >> which has side-effects checks whether or not the database is in recovery to >> ensure they are not performing modifications to hot standby nodes. > > Maybe side-effects is a bit too general? Emitting a log message, rejecting a > login, setting some GUCs, etc are all side-effects too. Good point, it needs to say that modifications that cause WAL to be generated are prohibited, but in a more user-friendly readable way. Perhaps in a big red warning box. >>>> In this message >>>> (https://www.postgresql.org/message-id/20220312024652.lvgehszwke4hhove%40alap3.anarazel.de) >>>> it was only about triggers on hot standby, which run not read-only queries >>> >>> The problem precisely is that the login triggers run on hot standby nodes, and >>> that if they do writes, you can't login anymore. >> >> Do you think this potential foot-gun is scary enough to reject this patch? >> There are lots of creative ways to cause Nagios alerts from ones database, but >> this has the potential to do so with a small bug in userland code. Still, I >> kind of like the feature so I'm indecisive. > > It does seem like a huge footgun. But also kinda useful. So I'm really +-0. Looks like we are in agreement here. I'm going to go over it again and sleep on it some more before the deadline hits. -- Daniel Gustafsson https://vmware.com/
Commits
-
Fix some typos in event trigger docs
- 5fce30e77fe1 17.0 landed
-
Use heap_inplace_update() to unset pg_database.dathasloginevt
- 8be93177c46b 17.0 landed
-
Remove the flaky check in event_trigger_login regression test
- 4b885d01f967 17.0 landed
-
Fix instable 006_login_trigger.pl test
- 06be01eb266b 17.0 landed
-
Add support event triggers on authenticated login
- e83d1b0c40cc 17.0 landed
-
Add GUC for temporarily disabling event triggers
- 7750fefdb2b8 17.0 landed
-
Fix typo in reference to __FreeBSD__.
- e52f8b301ed5 16.0 cited
-
Restore robustness of TAP tests that wait for postmaster restart.
- f452aaf7d4a9 14.0 cited
-
Restore the portal-level snapshot after procedure COMMIT/ROLLBACK.
- 84f5c2908dad 14.0 cited