Commit cd3413ec authored by Tom Lane's avatar Tom Lane

Disable event triggers in standalone mode.

Per discussion, this seems necessary to allow recovery from broken event
triggers, or broken indexes on pg_event_trigger.

Dimitri Fontaine
parent b19e4250
...@@ -108,7 +108,14 @@ CREATE EVENT TRIGGER <replaceable class="PARAMETER">name</replaceable> ...@@ -108,7 +108,14 @@ CREATE EVENT TRIGGER <replaceable class="PARAMETER">name</replaceable>
<title>Notes</title> <title>Notes</title>
<para> <para>
To create a trigger on a event, the user must be superuser. Only superusers can create event triggers.
</para>
<para>
Event triggers are disabled in single-user mode (see <xref
linkend="app-postgres">). If an erroneous event trigger disables the
database so much that you can't even drop the trigger, restart in
single-user mode and you'll be able to do that.
</para> </para>
</refsect1> </refsect1>
...@@ -116,7 +123,7 @@ CREATE EVENT TRIGGER <replaceable class="PARAMETER">name</replaceable> ...@@ -116,7 +123,7 @@ CREATE EVENT TRIGGER <replaceable class="PARAMETER">name</replaceable>
<title>Examples</title> <title>Examples</title>
<para> <para>
Forbid the execution of any <link linkend="ddl">ddl</link> command: Forbid the execution of any <link linkend="ddl">DDL</link> command:
<programlisting> <programlisting>
CREATE OR REPLACE FUNCTION abort_any_command() CREATE OR REPLACE FUNCTION abort_any_command()
......
...@@ -566,6 +566,25 @@ EventTriggerDDLCommandStart(Node *parsetree) ...@@ -566,6 +566,25 @@ EventTriggerDDLCommandStart(Node *parsetree)
const char *tag; const char *tag;
EventTriggerData trigdata; EventTriggerData trigdata;
/*
* Event Triggers are completely disabled in standalone mode. There are
* (at least) two reasons for this:
*
* 1. A sufficiently broken event trigger might not only render the
* database unusable, but prevent disabling itself to fix the situation.
* In this scenario, restarting in standalone mode provides an escape
* hatch.
*
* 2. BuildEventTriggerCache relies on systable_beginscan_ordered, and
* therefore will malfunction if pg_event_trigger's indexes are damaged.
* To allow recovery from a damaged index, we need some operating mode
* wherein event triggers are disabled. (Or we could implement
* heapscan-and-sort logic for that case, but having disaster recovery
* scenarios depend on code that's otherwise untested isn't appetizing.)
*/
if (!IsUnderPostmaster)
return;
/* /*
* We want the list of command tags for which this procedure is actually * We want the list of command tags for which this procedure is actually
* invoked to match up exactly with the list that CREATE EVENT TRIGGER * invoked to match up exactly with the list that CREATE EVENT TRIGGER
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment