Re: unite recovery.conf and postgresql.conf
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Josh Berkus <josh@agliodbs.com>
Cc: pgsql-hackers@postgresql.org
Date: 2011-09-20T17:30:28Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Restructure error handling in reading of postgresql.conf.
- d56b3afc0376 9.2.0 cited
Josh Berkus <josh@agliodbs.com> writes: > First, if we're going to change behavior, I assert that we should stop > calling stuff "recovery" and either call it "replica" or "standby". Our > use of the word "recovery" confuses users; it is historical in nature > and requires an understanding of PostgreSQL internals to know why it's > called that. It's also inconsistent with our use of the word "standby" > everywhere else. Are we all talking about the same thing? In my mind recovery.conf is for configuring a point-in-time archive recovery run. It's got nothing to do with either replication or standbys. Perhaps part of our problem here is overloading that case with standby behavior. > Second, I haven't seen a response to this: > Do we want a trigger file to enable recovery, or one to *disable* > recovery? Or both? As far as the PITR scenario is concerned, only the former can possibly make any sense; the latter would be downright dangerous. >> There is a potential security hole if people hardcode passwords into >> primary_conninfo. As long as we document not to do that, we're OK. > Yeah, I'd almost be inclined to actively prohibit this, but that would > draw user complaints. We'll have to be satisfied with a doc plus a comment. I think that marking the GUC as "only readable by superuser" is a sufficient fix. regards, tom lane