| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Joshua Warburton <j(dot)warburton(at)irax(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Logging authentication requests with GSSAPI |
| Date: | 2014-04-30 12:49:29 |
| Message-ID: | 20140430124929.GE2556@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Joshua,
* Joshua Warburton (j(dot)warburton(at)irax(dot)com) wrote:
> I'm authenticating to postgres using GSSAPI and (for audit reasons)
> I need to be able to log the principle name that connects as well as
> the username it is mapped to. Is there any way I can get postgres to
> log this without cranking up the log level for everything?
Not easily, I don't think. The Kerberos logs should be able to tell you
every postgres/HOST(at)REALM ticket which is issued and while that's not
great it's at least something.
Another option is to just use the full princ *as* the PG username, which
works fine but can be a bit annoying when you're trying to GRANT
permissions, etc (I'd suggest using a lot of roles :).
Improving this has been one of those things that I've wanted to do for a
long time... Probably by just adding the "System Username" or similar
to the "connection authorized" log message. Would that work for your
need..?
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Bostock | 2014-04-30 13:06:17 | Ingres to Postgres migration |
| Previous Message | Joshua Warburton | 2014-04-30 12:00:25 | Logging authentication requests with GSSAPI |