Re: Read-only connection mode for AI workflows.

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Andrei Lepikhov <[email protected]>
To: Jack Bonatakis <[email protected]>
To: pgsql-hackers <[email protected]>
To: Bruce Momjian <[email protected]>
To: Andres Freund <[email protected]>
Subject: Re: Read-only connection mode for AI workflows.
Date: Thu, 19 Mar 2026 08:44:15 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CADsUR0B9bcJQKYHyUMnWcODGzF5+AdeToawULkkTKfrq32Z-8w@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On 16/3/26 22:01, Andrei Lepikhov wrote:
> On 16/3/26 20:28, Jack Bonatakis wrote:
>> On Mon, Mar 16, 2026, at 2:08 PM, Andrei Lepikhov wrote:
>>> I believe the pg_readonly [1] extension does what you're looking for, so
>>> you might want to give it a try.
>> Please correct me if I am mistaken, but it looks like pg_readonly 
>> operates at the database or cluster level. 

Take a look at the [1] project. It's a simpler version of [2] that 
always switches to read-only mode.
To use it, just have your connection pooler load the 'safesession' 
module. This will keep the session in read-only mode until it ends. 
There are no GUCs, and there is no way to change the mode, even for a 
superuser. Does this seem safe enough?

We could improve it by restricting manual calls to specific utility 
operations, such as VACUUM or REINDEX. However, we would need some 
specifications first.

[1] https://github.com/danolivo/safesession/
[2] https://github.com/pierreforstmann/pg_readonly

-- 
regards, Andrei Lepikhov,
pgEdge

view thread (20+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Read-only connection mode for AI workflows.
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox