Re: pgaudit - an auditing extension for PostgreSQL

From: Abhijit Menon-Sen <ams(at)2ndQuadrant(dot)com>
To: Simon Riggs <simon(at)2ndQuadrant(dot)com>
Cc: Jaime Casanova <jaime(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, MauMau <maumau307(at)gmail(dot)com>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pgaudit - an auditing extension for PostgreSQL
Date: 2014-12-27 08:47:29
Message-ID: 20141227084729.GA2271@toroid.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

At 2014-12-27 08:08:32 +0000, simon(at)2ndQuadrant(dot)com wrote:
>
> > what if i want to audit different things for different users?
>
> That is supported - you can provide a list of roles to be audit roles.

You can do that, but maybe it isn't quite enough to do what Jaime is
asking for. Not always, at least. Consider:

1. You want to audit select on foo by user jaime (only).
2. You want to audit update on bar by user simon (only).

So you do something like this:

pgaudit.roles = 'audit1, audit2'

grant select on foo to audit1;
grant update on bar to audit2;

Now if Jaime does select on foo or if Simon does update on bar, it'll be
logged. If user jaime does not have permission to do update on bar, and
if simon doesn't have permission to select on foo, everything is fine.

But there's no way to say *don't* audit select on foo by simon.

You could do something like "grant role audit1 to jaime" and then check
the audit-permissions of whichever audit role jaime is found at runtime
to inherit from. But in Stephen's original proposal, granting any audit
role to any user meant that everything they did would be logged.

-- Abhijit

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Noah Misch 2014-12-27 09:51:11 Re: Serialization exception : Who else was involved?
Previous Message Simon Riggs 2014-12-27 08:25:44 Re: pgaudit - an auditing extension for PostgreSQL