Re: almost-super-user problems that we haven't fixed yet
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-18T00:15:23Z
Lists: pgsql-hackers
Attachments
On Tue, Jan 17, 2023 at 02:59:31PM -0500, Robert Haas wrote: > On Tue, Jan 17, 2023 at 1:42 PM Nathan Bossart <nathandbossart@gmail.com> wrote: >> If we create a new batch of reserved connections, only roles with >> privileges of pg_use_reserved_connections would be able to connect if the >> number of remaining slots is greater than superuser_reserved_connections >> but less than or equal to superuser_reserved_connections + >> reserved_connections. Only superusers would be able to connect if the >> number of remaining slots is less than or equal to >> superuser_reserved_connections. This helps avoid blocking new superuser >> connections even if you've reserved some connections for non-superusers. > > This is precisely what I had in mind. Great. Here is a first attempt at the patch. > I think the documentation will need some careful wordsmithing, > including adjustments to superuser_reserved_connections. We want to > recast superuser_reserved_connections as a final reserve to be touched > after even reserved_connections has been exhausted. I tried to do this, but there is probably still room for improvement, especially for the parts that discuss the relationship between max_connections, superuser_reserved_connections, and reserved_connections. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve several permission-related error messages.
- de4d456b406b 16.0 landed
-
Integrate superuser check into has_rolreplication()
- 442f8700656b 16.0 landed
-
Small code simplification
- 3b7cd8c690f2 16.0 landed
-
Adjust interaction of CREATEROLE with role properties.
- f1358ca52dd7 16.0 landed
-
Add new GUC reserved_connections.
- 6e2775e4d4e4 16.0 landed
-
Rename ReservedBackends variable to SuperuserReservedConnections.
- fe00fec1f5d7 16.0 landed
-
Update docs and error message for superuser_reserved_connections.
- 6c1d5ba48678 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 cited