"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On the accept side, which I'm leaning toward, is that superuser is
> already constrained by max_connections and, in addition, the
> implications of setting this value are straight-forward and it obvious
> requires intent on the part of the user. Its not a "foot-gun" in the
> sense that there are side-effects that the user isn't going to be
> aware of by having this feature in place - it does exactly what the
> label says it does.
That's a fair point, and certainly if we allow and enforce "alter
user postgres nologin" (which we do), it's odd to not enforce
connection limit. However, looking at the code, it's a little
clearer why it was done that way: it's for consistency with the
behavior of datconnlimit (per-database connection limits).
I think that having superusers be immune to datconnlimit is actually
the right thing; for one reason, because datconnlimit can be set by
database owners, who should not be able to lock superusers out of
their database. If people are okay with having rolconnlimit act
differently from datconnlimit in this respect, then I'll withdraw
my objection.
regards, tom lane