Feedback-ID: id4a34324:Fastmail
Date: Wed, 18 Mar 2026 10:26:26 -0400
From: Andres Freund <andres@anarazel.de>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Andrei Lepikhov <lepihov@gmail.com>, Bruce Momjian <bruce@momjian.us>,
	Jack Bonatakis <jack@bonatak.is>,
 pgsql-hackers <pgsql-hackers@postgresql.org>
Subject: Re: Read-only connection mode for AI workflows.
Message-ID: <wf3p4636lgu67rwatc7pdnvmz36guljm3lzatvvy45ew3adtvw@ip7yivjxqqy6>
References: 
 <CADsUR0B9bcJQKYHyUMnWcODGzF5+AdeToawULkkTKfrq32Z-8w@mail.gmail.com>
 <64f1c69a-ceff-4b17-8298-58f255d075fc@gmail.com>
 <dde00623-b8e0-421b-a3f7-b149768894ef@app.fastmail.com>
 <fab6a5f3-df9f-4bd7-b2ac-434a17303547@gmail.com>
 <abh1LGa98D2Bpv-n@momjian.us>
 <cbcefd92-4f43-46ef-8c9f-0c45aa8dca77@gmail.com>
 <ablcmDxJ2sqdnf_L@momjian.us>
 <a17ffd88-10c1-41cf-bf40-ca5e99dcba2f@gmail.com>
 <e6079ccd-64c0-492a-8f6f-8c8912fca278@eisentraut.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <e6079ccd-64c0-492a-8f6f-8c8912fca278@eisentraut.org>
Archived-At: 
 <https://www.postgresql.org/message-id/wf3p4636lgu67rwatc7pdnvmz36guljm3lzatvvy45ew3adtvw%40ip7yivjxqqy6>
Precedence: bulk

Hi,

On 2026-03-18 14:48:41 +0100, Peter Eisentraut wrote:
> On 17.03.26 15:05, Andrei Lepikhov wrote:
> > On 17/3/26 14:52, Bruce Momjian wrote:
> > > On Tue, Mar 17, 2026 at 11:04:25AM +0100, Andrei Lepikhov wrote:
> > > > On 16/3/26 22:25, Bruce Momjian wrote:
> > > > > On Mon, Mar 16, 2026 at 10:01:22PM +0100, Andrei Lepikhov wrote:
> > > > > > > I do think the underlying problem of safely exposing databases to
> > > > > > > automated agents is becoming increasingly common, so it seems like a
> > > > > > > useful area to explore.
> > > > >
> > > > > I agree the need a read-only sessions is going to get more urgent with
> > > > > MCP.  Why doesn't the community code have a read-only session option
> > > > > that can't be changed?
> > > >
> > > > The pg_readonly project aims to answer this question: if it is easy and
> > > > cheap to implement as an extension, why do we need to touch the core?
> > >
> > > I think it is a fundamental feature the database should have by default.
> > >
> >
> > Why wasn’t read-only mode set up like this from the start? - I haven’t
> > seen any other DBMSs, aside from SQLite, offer this kind of guarantee.
> > If we want to move forward, it makes sense to use a session parameter
> > and add backend code to prevent violations.
> > Postgres architecture looks well-suited for this feature. However, the
> > request is to block all backend changes, not just the usual XactReadOnly
> > limitations, but also things like vacuum, etc (temporary tables?).
> > Should we also consider cluster-wide restrictions?
>
> Read-only mode is a transaction property, not an access control system.
>
> If you want to control who can read what, there is an access control system
> for that.  If it's insufficient, let's enhance it.  But let's keep these
> things separate.

I don't agree that this need can be entirely addressed by access control.

Regardless of the AI angle it's quite useful to be able to put a server into
read only mode, e.g. in preparation for a planned failover where you can
continue to allow reads but don't want any more writes. Or in preparation for
a shutdown you want to prevent further writes (so the shutdown checkpoint is
quick), but you do want to allow further reads (to reduce the scope of the
downtime, by allowing reads while doing a CHECKPOINT before the actual
shutdown).

It doesn't make sense to implement stuff like that by changing all the access
controls of the system, because it'll often be a temporary thing. So you have
to figure out all the DDL to temporarily revoke permissions, have to somehow
wait till those changes have taken hold for everything, then you have to
figure out DDL to revert all those changes.

Greetings,

Andres