From: | Andres Freund <andres(at)anarazel(dot)de> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Information of pg_stat_ssl visible to all users |
Date: | 2015-07-07 16:11:42 |
Message-ID: | 20150707161142.GE10242@alap3.anarazel.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2015-07-07 12:03:36 -0400, Peter Eisentraut wrote:
> I think the DN is analogous to the remote user name, which we don't
> expose for any of the other authentication methods.
Huh?
Datum
pg_stat_get_activity(PG_FUNCTION_ARGS)
{
/* Values available to all callers */
values[0] = ObjectIdGetDatum(beentry->st_databaseid);
values[1] = Int32GetDatum(beentry->st_procpid);
values[2] = ObjectIdGetDatum(beentry->st_userid);
...
Isn't that like, essentially, all of them? Sure, if you have a ident
mapping set up, then not, but I have a hard time seing that as a
relevant use case.
> I think the default approach for security and authentication related
> information should be conservative, even if there is not a specific
> reason. Or to put it another way: What is the motivation for showing
> this information at all?
That we already show equivalent information and that hiding it from
another place will just be crufty and make monitoring setups more
complex.
Greetings,
Andres Freund
From | Date | Subject | |
---|---|---|---|
Next Message | Merlin Moncure | 2015-07-07 16:15:11 | Re: PL/pgSQL, RAISE and error context |
Previous Message | Magnus Hagander | 2015-07-07 16:06:23 | Re: Information of pg_stat_ssl visible to all users |