Re: Possibility to disable `ALTER SYSTEM`

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Maciek Sakrejda <m.sakrejda@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Joel Jacobson <joel@compiler.org>, Andrew Dunstan <andrew@dunslane.net>, Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>, pgsql-hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus.hagander@redpill-linpro.com>, "daniel@yesql.se" <daniel@yesql.se>
Date: 2024-03-15T02:58:37Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Add allow_alter_system GUC.

  2. Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.

  3. Remove support for version-0 calling conventions.

On Thu, Mar 14, 2024 at 07:43:15PM -0400, Robert Haas wrote:
> On Thu, Mar 14, 2024 at 5:15 PM Maciek Sakrejda <m.sakrejda@gmail.com> wrote:
> > It's not a security feature: it's a usability feature.
> >
> > It's a usability feature because, when Postgres configuration is
> > managed by an outside mechanism (e.g., as in a Kubernetes
> > environment), ALTER SYSTEM currently allows a superuser to make
> > changes that appear to work, but may be discarded at some point in the
> > future when that outside mechanism updates the config. They may also
> > be represented incorrectly in a management dashboard if that dashboard
> > is based on the values in the outside configuration mechanism, rather
> > than values directly from Postgres.
> >
> > In this case, the end user with access to Postgres superuser
> > privileges presumably also has access to the outside configuration
> > mechanism. The goal is not to prevent them from changing settings, but
> > to offer guard rails that prevent them from changing settings in a way
> > that will be unstable (revertible by a future update) or confusing
> > (not showing up in a management UI).
> >
> > There are challenges here in making sure this is _not_ seen as a
> > security feature. But I do think the feature itself is sensible and
> > worthwhile.
> 
> This is what I would have said if I'd tried to offer an explanation,
> except you said it better than I would have done.

I do think the docs need to clearly say this is not a security feature.
In fact, I wonder if the ALTER SYSTEM error message should explain the
GUC that is causing the failure.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.