Steve Baldwin <steve.baldwin@gmail.com> writes:
> Thanks Tom. The idle_in_transaction_session_timeout could work well, but it
> seems to be just a default that can be overridden by a user post-login (or
> am I missing something?).
It is that, but if you have an actively malicious user then you need to
keep them from issuing SQL directly at all. There are far too many ways
to cause effective denial-of-service, eg a single query that runs
"forever".
> I'm thinking of setting lock_timeout as part of
> the migration process so it will fail if it is unable to obtain a lock in a
> 'reasonable' amount of time. I wonder what other folks do?
If you'd rather fail the migration process, sure.
regards, tom lane