Re: Read-only connection mode for AI workflows.
Pavel Stehule <pavel.stehule@gmail.com>
From: Pavel Stehule <pavel.stehule@gmail.com>
To: Andrei Lepikhov <lepihov@gmail.com>
Cc: Jack Bonatakis <jack@bonatak.is>,
pgsql-hackers <pgsql-hackers@postgresql.org>, Bruce Momjian <bruce.momjian@enterprisedb.com>,
Andres Freund <andres@anarazel.de>
Date: 2026-03-19T07:53:13Z
Lists: pgsql-hackers
Hi čt 19. 3. 2026 v 8:44 odesílatel Andrei Lepikhov <lepihov@gmail.com> napsal: > On 16/3/26 22:01, Andrei Lepikhov wrote: > > On 16/3/26 20:28, Jack Bonatakis wrote: > >> On Mon, Mar 16, 2026, at 2:08 PM, Andrei Lepikhov wrote: > >>> I believe the pg_readonly [1] extension does what you're looking for, > so > >>> you might want to give it a try. > >> Please correct me if I am mistaken, but it looks like pg_readonly > >> operates at the database or cluster level. > > Take a look at the [1] project. It's a simpler version of [2] that > always switches to read-only mode. > To use it, just have your connection pooler load the 'safesession' > module. This will keep the session in read-only mode until it ends. > There are no GUCs, and there is no way to change the mode, even for a > superuser. Does this seem safe enough? > > We could improve it by restricting manual calls to specific utility > operations, such as VACUUM or REINDEX. However, we would need some > specifications first. > It doesn't cover possibility to set GUC by set_config function Regards Pavel > [1] https://github.com/danolivo/safesession/ > [2] https://github.com/pierreforstmann/pg_readonly > > -- > regards, Andrei Lepikhov, > pgEdge > > >