Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4jJR-002UxB-2M for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 17:43:37 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w4jJQ-001Y68-0T for pgsql-hackers@arkaria.postgresql.org; Mon, 23 Mar 2026 17:43:36 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w4jJP-001Y5z-2m for pgsql-hackers@lists.postgresql.org; Mon, 23 Mar 2026 17:43:36 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w4jJO-00000000f0V-0nYU for pgsql-hackers@postgresql.org; Mon, 23 Mar 2026 17:43:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2026010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=xtBX9xYYaQIFi9RD462lwQEqLqQAcTo60bMDdpTEe8Y=; b=m1JDYBHRGf+BsxEAd0JXp6ikLm 3Gd3N7C8CAkmR0KZhnOG1pTWZ7ErBJHasM9zKxX+tlNn6Jcj3bW3KEM+rDcy3EaoRJsj3X0Hzm+mp MdTSzZMx56T/CNfqYB5571/CfktyVbHUVQFXHnn9FeT4KMTpEZ+JX6hfOThwGy0/Prm7+9TDEYvf4 UT4ecaWP8XJJ3D8MuYhCJIuC7/KWFYyJZrk6z/+zq6c5dGB1ij7vWHatugHjIIcgHd9aLZGjWhIcS NCyscVxDP976IS1mE9/PRlrwt31n93N3h5zElqojovXnX1FLJaVqueaHbcZHtjsIL5wgAsOxDotZr CPigGgGA==; Received: from bruce by momjian.us with local (Exim 4.98.2) (envelope-from ) id 1w4jJM-0000000EDIf-038q; Mon, 23 Mar 2026 13:43:32 -0400 Date: Mon, 23 Mar 2026 13:43:31 -0400 From: Bruce Momjian To: Isaac Morland Cc: Jelte Fennema-Nio , Greg Sabino Mullane , Peter Eisentraut , Andrei Lepikhov , Jack Bonatakis , pgsql-hackers , Andres Freund Subject: Re: Read-only connection mode for AI workflows. Message-ID: References: <64f1c69a-ceff-4b17-8298-58f255d075fc@gmail.com> <7f6e0ff9-05e9-4664-9c71-d9dd744362b9@gmail.com> <138cfd8c-b305-4303-9700-bc53ff4fb926@eisentraut.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Mar 23, 2026 at 07:04:18AM -0400, Isaac Morland wrote: > On Mon, 23 Mar 2026 at 05:10, Jelte Fennema-Nio wrote: > > On Fri, 20 Mar 2026 at 13:33, Greg Sabino Mullane > wrote: > > I'm a +1 to the cluster-wide change, and a -1 to the per-connection idea > that started this thread, because I still don't see the need for it when we > have an existing roles/permissions system that gets the job done. You want > your untrusted agent to read from your database? Create a specific role for > that. If our existing per-role access controls are not sufficient, improve > them. > > I think they are insufficient for two reasons: > 1. Afaik there's no simple way to take an existing role and create a > new role from it that only has the read permissions of the original > role. Especially if you want those permissions to stay in sync between > the roles. > > > I don't think it's possible even in principle. As soon as the supposedly > read-only role calls a security definer function, the session is no longer > operating with the permissions of the supposedly read-only role. > > I think what is wanted is, in effect, very close to the ability to pretend that > one is connected to a replica rather than the primary, What is requested > already exists in a sense through the use of replication, but only at the > entire instance level, not one session. In other words, what you suggest below, > although it might be interesting to think about whether there are any other > settings that would be useful to lock down in this fashion: > > > I think the best way to address this thread is to have a way to "lock" > settings down, like discussed in this thread[1]. Then a user could > simply run the sql to lock down the transaction_read_only and get a > read-only connection that it could give to the LLM. So, we have two possible features here. First, cluster-wide read-only mode, at least read-only from the client perspective, not necessarily preventing WAL or vacuum. Second, using per-user permissions does sound like the right level of control for read-only sessions, and I am not too worried about having to create the user and set permissions --- seems reasonable. I do question if the user is read-only enough, e.g., should they be able to create temp tables and call security-definer functions. At this point we have assumed any defined user should have a minimum amount of trust, but with MCP, we have to assume the user has no trust but read-only access, and I don't know if our user permission system is limiting enough for such use cases. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.