Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitab93cd9

Browse files
committed
When we're restricting who can connect, don't allow new walsenders.
Normal superuser processes are allowed to connect even when the databasesystem is shutting down, or when fewer than superuser_reserved_connectionslots remain. This is intended to make sure an administrator can log inand troubleshoot, so don't extend these same courtesies to users connectingfor replication.
1 parent22da731 commitab93cd9

File tree

2 files changed

+35
-23
lines changed

2 files changed

+35
-23
lines changed

‎doc/src/sgml/config.sgml‎

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.269 2010/04/20 11:15:06 rhaas Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.270 2010/04/26 10:51:59 rhaas Exp $ -->
22

33
<chapter Id="runtime-config">
44
<title>Server Configuration</title>
@@ -401,7 +401,8 @@ SET ENABLE_SEQSCAN TO OFF;
401401
number of active concurrent connections is at least
402402
<varname>max_connections</> minus
403403
<varname>superuser_reserved_connections</varname>, new
404-
connections will be accepted only for superusers.
404+
connections will be accepted only for superusers, and no
405+
new replication connections will be accepted.
405406
</para>
406407

407408
<para>

‎src/backend/utils/init/postinit.c‎

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.211 2010/04/21 00:51:57 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.212 2010/04/26 10:52:00 rhaas Exp $
1212
*
1313
*
1414
*-------------------------------------------------------------------------
@@ -617,6 +617,37 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
617617
am_superuser=superuser();
618618
}
619619

620+
/*
621+
* If we're trying to shut down, only superusers can connect, and
622+
* new replication connections are not allowed.
623+
*/
624+
if ((!am_superuser||am_walsender)&&
625+
MyProcPort!=NULL&&
626+
MyProcPort->canAcceptConnections==CAC_WAITBACKUP)
627+
{
628+
if (am_walsender)
629+
ereport(FATAL,
630+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
631+
errmsg("new replication connections are not allowed during database shutdown")));
632+
else
633+
ereport(FATAL,
634+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
635+
errmsg("must be superuser to connect during database shutdown")));
636+
}
637+
638+
/*
639+
* The last few connections slots are reserved for superusers.
640+
* Although replication connections currently require superuser
641+
* privileges, we don't allow them to consume the reserved slots,
642+
* which are intended for interactive use.
643+
*/
644+
if ((!am_superuser||am_walsender)&&
645+
ReservedBackends>0&&
646+
!HaveNFreeProcs(ReservedBackends))
647+
ereport(FATAL,
648+
(errcode(ERRCODE_TOO_MANY_CONNECTIONS),
649+
errmsg("remaining connection slots are reserved for non-replication superuser connections")));
650+
620651
/*
621652
* If walsender, we're done here --- we don't want to connect to any
622653
* particular database.
@@ -778,26 +809,6 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
778809
if (!bootstrap)
779810
CheckMyDatabase(dbname,am_superuser);
780811

781-
/*
782-
* If we're trying to shut down, only superusers can connect.
783-
*/
784-
if (!am_superuser&&
785-
MyProcPort!=NULL&&
786-
MyProcPort->canAcceptConnections==CAC_WAITBACKUP)
787-
ereport(FATAL,
788-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
789-
errmsg("must be superuser to connect during database shutdown")));
790-
791-
/*
792-
* Check a normal user hasn't connected to a superuser reserved slot.
793-
*/
794-
if (!am_superuser&&
795-
ReservedBackends>0&&
796-
!HaveNFreeProcs(ReservedBackends))
797-
ereport(FATAL,
798-
(errcode(ERRCODE_TOO_MANY_CONNECTIONS),
799-
errmsg("connection limit exceeded for non-superusers")));
800-
801812
/*
802813
* Now process any command-line switches that were included in the startup
803814
* packet, if we are in a regular backend.We couldn't do this before

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp