<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ownership on Tarragon</title><link>https://tarrragon.github.io/blog/tags/ownership/</link><description>Recent content in Ownership on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Fri, 22 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/ownership/index.xml" rel="self" type="application/rss+xml"/><item><title>Control Owner Pattern</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/</guid><description>&lt;p>Control owner pattern 的責任是把高風險控制面固定到可執行角色。它讓 incident triage、vulnerability response 與 tabletop 演練都能快速判斷誰主責、誰協作、誰做決策。&lt;/p>
&lt;h2 id="支撐素材">支撐素材&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>素材&lt;/th>
 &lt;th>可支撐論點&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta support token case&lt;/a>&lt;/td>
 &lt;td>support owner、identity owner 與 customer communication 需要共同協作&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/cisa-geoserver-2024-ir-coordination-pressure/" data-link-title="CISA GeoServer 2024：IR 協調壓力" data-link-desc="把 CISA GeoServer incident response lessons learned 轉成修補、EDR、IR plan 與第三方協調壓力素材">CISA GeoServer IR case&lt;/a>&lt;/td>
 &lt;td>IR plan 需要包含第三方支援與工具 access procedure&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/professional-sources/nist-sp-800-61r3-incident-response/" data-link-title="NIST SP 800-61r3：事故回應作為風險管理能力" data-link-desc="把 NIST SP 800-61r3 轉成藍隊事故回應與風險治理素材">NIST SP 800-61r3&lt;/a>&lt;/td>
 &lt;td>incident response 是跨治理、偵測、回應與復原的風險管理能力&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="欄位">欄位&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>欄位&lt;/th>
 &lt;th>責任&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Control owner&lt;/td>
 &lt;td>對控制面結果負責&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Collaborator&lt;/td>
 &lt;td>提供資料、操作或驗證&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Decision maker&lt;/td>
 &lt;td>對風險接受、凍結或升級做決策&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Escalation path&lt;/td>
 &lt;td>定義分級上升與跨團隊接手路徑&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Exit condition&lt;/td>
 &lt;td>定義何時完成處置或轉入復盤&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="判讀訊號">判讀訊號&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>訊號&lt;/th>
 &lt;th>代表需求&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>同一事件在多個團隊間反覆轉手&lt;/td>
 &lt;td>需要明確 owner 與 collaborator&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>分級結果有人執行但沒有人決策&lt;/td>
 &lt;td>需要 decision maker 欄位&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>第三方支援需要臨時授權&lt;/td>
 &lt;td>需要預先定義 escalation path&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="適用邊界">適用邊界&lt;/h2>
&lt;p>此模式適合 identity、entrypoint、MFT、artifact 與 vulnerability response 這類跨團隊控制面。單一服務內部的小型修補可以使用較輕量的 owner 欄位。&lt;/p>
&lt;h2 id="下一步路由">下一步路由&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/ownership/" data-link-title="Ownership" data-link-desc="說明 ownership 如何把問題、決策與交接責任固定到可執行角色">Ownership&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/incident-triage-loop/" data-link-title="7.B6 Incident Triage Loop" data-link-desc="把資安訊號轉成 triage、severity、owner、containment 與 evidence 的回應循環">7.B6 Incident Triage Loop&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/" data-link-title="Identity Support Token Tabletop" data-link-desc="以支援流程與 session token 風險設計身份接管 tabletop 情境">Identity support token tabletop&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>Control owner pattern 的責任是把高風險控制面固定到可執行角色。它讓 incident triage、vulnerability response 與 tabletop 演練都能快速判斷誰主責、誰協作、誰做決策。</p>
<h2 id="支撐素材">支撐素材</h2>
<table>
  <thead>
      <tr>
          <th>素材</th>
          <th>可支撐論點</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta support token case</a></td>
          <td>support owner、identity owner 與 customer communication 需要共同協作</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/cisa-geoserver-2024-ir-coordination-pressure/" data-link-title="CISA GeoServer 2024：IR 協調壓力" data-link-desc="把 CISA GeoServer incident response lessons learned 轉成修補、EDR、IR plan 與第三方協調壓力素材">CISA GeoServer IR case</a></td>
          <td>IR plan 需要包含第三方支援與工具 access procedure</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/professional-sources/nist-sp-800-61r3-incident-response/" data-link-title="NIST SP 800-61r3：事故回應作為風險管理能力" data-link-desc="把 NIST SP 800-61r3 轉成藍隊事故回應與風險治理素材">NIST SP 800-61r3</a></td>
          <td>incident response 是跨治理、偵測、回應與復原的風險管理能力</td>
      </tr>
  </tbody>
</table>
<h2 id="欄位">欄位</h2>
<table>
  <thead>
      <tr>
          <th>欄位</th>
          <th>責任</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Control owner</td>
          <td>對控制面結果負責</td>
      </tr>
      <tr>
          <td>Collaborator</td>
          <td>提供資料、操作或驗證</td>
      </tr>
      <tr>
          <td>Decision maker</td>
          <td>對風險接受、凍結或升級做決策</td>
      </tr>
      <tr>
          <td>Escalation path</td>
          <td>定義分級上升與跨團隊接手路徑</td>
      </tr>
      <tr>
          <td>Exit condition</td>
          <td>定義何時完成處置或轉入復盤</td>
      </tr>
  </tbody>
</table>
<h2 id="判讀訊號">判讀訊號</h2>
<table>
  <thead>
      <tr>
          <th>訊號</th>
          <th>代表需求</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>同一事件在多個團隊間反覆轉手</td>
          <td>需要明確 owner 與 collaborator</td>
      </tr>
      <tr>
          <td>分級結果有人執行但沒有人決策</td>
          <td>需要 decision maker 欄位</td>
      </tr>
      <tr>
          <td>第三方支援需要臨時授權</td>
          <td>需要預先定義 escalation path</td>
      </tr>
  </tbody>
</table>
<h2 id="適用邊界">適用邊界</h2>
<p>此模式適合 identity、entrypoint、MFT、artifact 與 vulnerability response 這類跨團隊控制面。單一服務內部的小型修補可以使用較輕量的 owner 欄位。</p>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li><a href="/blog/backend/knowledge-cards/ownership/" data-link-title="Ownership" data-link-desc="說明 ownership 如何把問題、決策與交接責任固定到可執行角色">Ownership</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/incident-triage-loop/" data-link-title="7.B6 Incident Triage Loop" data-link-desc="把資安訊號轉成 triage、severity、owner、containment 與 evidence 的回應循環">7.B6 Incident Triage Loop</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/" data-link-title="Identity Support Token Tabletop" data-link-desc="以支援流程與 session token 風險設計身份接管 tabletop 情境">Identity support token tabletop</a></li>
</ul>
]]></content:encoded></item><item><title>PostgreSQL Developer / DBA Responsibility Split</title><link>https://tarrragon.github.io/blog/backend/01-database/vendors/postgresql/developer-dba-responsibility-split/</link><pubDate>Fri, 22 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/01-database/vendors/postgresql/developer-dba-responsibility-split/</guid><description>&lt;p>PostgreSQL developer / DBA responsibility split 的核心責任是把資料庫決策拆成 application ownership、database operation 與 platform governance。PostgreSQL 功能深，事故常跨 query、schema、connection、backup、replication 與 capacity；若責任分工模糊，問題會在 release 與 incident 時放大。&lt;/p>
&lt;p>本文的判讀錨點是：developer 和 DBA 分工要讓每個決策有清楚 owner、evidence、review gate 與 rollback，而非把資料庫丟給某一方。&lt;/p>
&lt;h2 id="ownership-map">Ownership Map&lt;/h2>
&lt;p>Ownership map 的核心責任是定義誰能改什麼、誰要驗證什麼。&lt;/p>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>面向&lt;/th>
 &lt;th>Developer owner&lt;/th>
 &lt;th>DBA / platform owner&lt;/th>
 &lt;th>Shared gate&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Schema design&lt;/td>
 &lt;td>domain model、constraint、query&lt;/td>
 &lt;td>naming、storage、partition、extension&lt;/td>
 &lt;td>migration review&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Query performance&lt;/td>
 &lt;td>repository SQL、query shape&lt;/td>
 &lt;td>index、planner、statistics、capacity&lt;/td>
 &lt;td>explain evidence&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Migration&lt;/td>
 &lt;td>app compatibility、rollback&lt;/td>
 &lt;td>lock impact、DDL strategy、PITR&lt;/td>
 &lt;td>release gate&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Connection&lt;/td>
 &lt;td>pool usage、transaction length&lt;/td>
 &lt;td>pooler、max connection、proxy&lt;/td>
 &lt;td>load test&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Backup / DR&lt;/td>
 &lt;td>restore smoke test&lt;/td>
 &lt;td>WAL archive、PITR、replica&lt;/td>
 &lt;td>restore drill&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Security&lt;/td>
 &lt;td>tenant / workflow intent&lt;/td>
 &lt;td>role、RLS、audit、grant&lt;/td>
 &lt;td>access review&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;p>這張表的重點是 shared gate。Developer 最懂產品語意，DBA / platform 最懂資料庫風險；正式變更需要兩邊的 evidence 合併。&lt;/p>
&lt;h2 id="schema-and-migration">Schema and Migration&lt;/h2>
&lt;p>Schema and migration 的核心責任是讓 application release 與 database change 同步。Developer 應提供 business invariant、compatibility window、read/write path；DBA / platform 應審查 lock、index build、table rewrite、replica lag 與 rollback。&lt;/p>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>Migration 類型&lt;/th>
 &lt;th>Developer evidence&lt;/th>
 &lt;th>DBA / platform evidence&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Add nullable column&lt;/td>
 &lt;td>app read/write compatibility&lt;/td>
 &lt;td>DDL lock time、replica impact&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Add NOT NULL&lt;/td>
 &lt;td>backfill plan、default behavior&lt;/td>
 &lt;td>table rewrite / validation strategy&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Index build&lt;/td>
 &lt;td>query contract、expected selectivity&lt;/td>
 &lt;td>concurrent build、disk、bloat&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Partition change&lt;/td>
 &lt;td>routing logic、retention behavior&lt;/td>
 &lt;td>detach / attach、maintenance window&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Type change&lt;/td>
 &lt;td>serialization、API compatibility&lt;/td>
 &lt;td>cast risk、rewrite duration&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;p>Migration review 要從 failure mode 開始。若 migration 卡住，誰停止 rollout；若 backfill 造成 lag，誰降速；若 app 新舊版本同時存在，哪個 schema 能兼容兩者。&lt;/p>
&lt;h2 id="query-and-capacity">Query and Capacity&lt;/h2>
&lt;p>Query and capacity 的核心責任是把 query shape 和 database resource 對齊。Developer 負責避免 N+1、長交易、無界查詢與錯誤 pagination；DBA / platform 負責 index、statistics、vacuum、work_mem、connection 與 storage。&lt;/p></description><content:encoded><![CDATA[<p>PostgreSQL developer / DBA responsibility split 的核心責任是把資料庫決策拆成 application ownership、database operation 與 platform governance。PostgreSQL 功能深，事故常跨 query、schema、connection、backup、replication 與 capacity；若責任分工模糊，問題會在 release 與 incident 時放大。</p>
<p>本文的判讀錨點是：developer 和 DBA 分工要讓每個決策有清楚 owner、evidence、review gate 與 rollback，而非把資料庫丟給某一方。</p>
<h2 id="ownership-map">Ownership Map</h2>
<p>Ownership map 的核心責任是定義誰能改什麼、誰要驗證什麼。</p>
<table>
  <thead>
      <tr>
          <th>面向</th>
          <th>Developer owner</th>
          <th>DBA / platform owner</th>
          <th>Shared gate</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Schema design</td>
          <td>domain model、constraint、query</td>
          <td>naming、storage、partition、extension</td>
          <td>migration review</td>
      </tr>
      <tr>
          <td>Query performance</td>
          <td>repository SQL、query shape</td>
          <td>index、planner、statistics、capacity</td>
          <td>explain evidence</td>
      </tr>
      <tr>
          <td>Migration</td>
          <td>app compatibility、rollback</td>
          <td>lock impact、DDL strategy、PITR</td>
          <td>release gate</td>
      </tr>
      <tr>
          <td>Connection</td>
          <td>pool usage、transaction length</td>
          <td>pooler、max connection、proxy</td>
          <td>load test</td>
      </tr>
      <tr>
          <td>Backup / DR</td>
          <td>restore smoke test</td>
          <td>WAL archive、PITR、replica</td>
          <td>restore drill</td>
      </tr>
      <tr>
          <td>Security</td>
          <td>tenant / workflow intent</td>
          <td>role、RLS、audit、grant</td>
          <td>access review</td>
      </tr>
  </tbody>
</table>
<p>這張表的重點是 shared gate。Developer 最懂產品語意，DBA / platform 最懂資料庫風險；正式變更需要兩邊的 evidence 合併。</p>
<h2 id="schema-and-migration">Schema and Migration</h2>
<p>Schema and migration 的核心責任是讓 application release 與 database change 同步。Developer 應提供 business invariant、compatibility window、read/write path；DBA / platform 應審查 lock、index build、table rewrite、replica lag 與 rollback。</p>
<table>
  <thead>
      <tr>
          <th>Migration 類型</th>
          <th>Developer evidence</th>
          <th>DBA / platform evidence</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Add nullable column</td>
          <td>app read/write compatibility</td>
          <td>DDL lock time、replica impact</td>
      </tr>
      <tr>
          <td>Add NOT NULL</td>
          <td>backfill plan、default behavior</td>
          <td>table rewrite / validation strategy</td>
      </tr>
      <tr>
          <td>Index build</td>
          <td>query contract、expected selectivity</td>
          <td>concurrent build、disk、bloat</td>
      </tr>
      <tr>
          <td>Partition change</td>
          <td>routing logic、retention behavior</td>
          <td>detach / attach、maintenance window</td>
      </tr>
      <tr>
          <td>Type change</td>
          <td>serialization、API compatibility</td>
          <td>cast risk、rewrite duration</td>
      </tr>
  </tbody>
</table>
<p>Migration review 要從 failure mode 開始。若 migration 卡住，誰停止 rollout；若 backfill 造成 lag，誰降速；若 app 新舊版本同時存在，哪個 schema 能兼容兩者。</p>
<h2 id="query-and-capacity">Query and Capacity</h2>
<p>Query and capacity 的核心責任是把 query shape 和 database resource 對齊。Developer 負責避免 N+1、長交易、無界查詢與錯誤 pagination；DBA / platform 負責 index、statistics、vacuum、work_mem、connection 與 storage。</p>
<p>Query review 的最小 evidence：</p>
<ol>
<li>SQL text 或 repository method。</li>
<li>Expected cardinality 與資料量。</li>
<li><code>EXPLAIN</code> / <code>EXPLAIN ANALYZE</code> 結果。</li>
<li>Index 依賴與 fallback plan。</li>
<li>Timeout、pagination、transaction boundary。</li>
</ol>
<p>Capacity review 要把 query 放進 workload。單一 query 快不代表整體穩定；高頻 query、batch job、migration backfill、CDC consumer 都會共享 I/O、CPU、lock 與 WAL。</p>
<h2 id="incident-roles">Incident Roles</h2>
<p>Incident roles 的核心責任是讓資料庫事故有分工。Incident 發生時，developer 看 workflow、feature flag、traffic 與 recent deploy；DBA / platform 看 lock、replica、WAL、disk、pooler 與 backup。</p>
<table>
  <thead>
      <tr>
          <th>Incident</th>
          <th>Developer 第一反應</th>
          <th>DBA / platform 第一反應</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Lock storm</td>
          <td>暫停相關 workflow、停 rollout</td>
          <td>查 blocking PID、DDL、transaction</td>
      </tr>
      <tr>
          <td>Connection exhaustion</td>
          <td>降低 app concurrency、停 retry storm</td>
          <td>pooler queue、max connection、admin access</td>
      </tr>
      <tr>
          <td>Replica lag</td>
          <td>暫停 heavy write / backfill</td>
          <td>WAL sender、slot、standby apply</td>
      </tr>
      <tr>
          <td>Bad migration</td>
          <td>block release、保留 failed state</td>
          <td>restore point、rollback / PITR</td>
      </tr>
      <tr>
          <td>Slow query spike</td>
          <td>feature flag、query owner</td>
          <td>plan regression、statistics、index</td>
      </tr>
  </tbody>
</table>
<p>Incident command 要保留決策紀錄。資料庫事故常有高壓操作，例如 kill session、promote replica、drop slot、restore backup；每個操作都要記錄原因與回復路線。</p>
<h2 id="review-cadence">Review Cadence</h2>
<p>Review cadence 的核心責任是把資料庫品質納入日常。建議節奏如下：</p>
<table>
  <thead>
      <tr>
          <th>節奏</th>
          <th>Review 內容</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>每個 release</td>
          <td>migration diff、new query、role / grant</td>
      </tr>
      <tr>
          <td>每週</td>
          <td>slow query、lock wait、replica lag、pool</td>
      </tr>
      <tr>
          <td>每月</td>
          <td>backup restore drill、index bloat、vacuum</td>
      </tr>
      <tr>
          <td>每季</td>
          <td>DR drill、major version plan、extension review</td>
      </tr>
  </tbody>
</table>
<p>Review cadence 要跟服務風險對齊。高交易量或合規服務需要更短週期；內部工具可以更輕量，但仍要保留 backup / restore evidence。</p>
<h2 id="handoff-artifact">Handoff Artifact</h2>
<p>Handoff artifact 的核心責任是讓下一位維護者能接手。</p>
<p>最小內容：</p>
<ol>
<li>Database owner、application owner、platform owner。</li>
<li>Schema migration process 與 rollback route。</li>
<li>Query review checklist。</li>
<li>Connection / pooler policy。</li>
<li>Backup / PITR / DR evidence。</li>
<li>Security / role / audit owner。</li>
<li>Incident escalation route。</li>
</ol>
<p>這份 artifact 應連回 <a href="../">PostgreSQL overview</a>、<a href="../hands-on/schema-migration-evidence-lab/">Schema Migration Evidence Lab</a> 與 <a href="../hands-on/pitr-restore-drill/">PITR Restore Drill</a>。</p>
<h2 id="下一步路由">下一步路由</h2>
<p>責任分工建立後，migration gate 讀 <a href="../online-schema-change/">Online Schema Change</a>；連線責任讀 <a href="../connection-pooler-comparison/">Connection Pooler Comparison</a>；安全責任讀 <a href="../security-rls-audit-logging/">Security / RLS / Audit Logging</a>。</p>
]]></content:encoded></item></channel></rss>