From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Jacob Champion <pchampion(at)vmware(dot)com> |
Cc: | "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Proposal: Save user's original authenticated identity for logging |
Date: | 2021-01-29 23:40:34 |
Message-ID: | 2832058.1611963634@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Jacob Champion <pchampion(at)vmware(dot)com> writes:
> On Fri, 2021-01-29 at 17:30 -0500, Tom Lane wrote:
>> What happens if ALTER USER RENAME is done while the session is still
>> alive?
> IMO the authenticated identity should be write-once. Especially since
> one of my goals is to have greater auditability into events as they've
> actually happened. So ALTER USER RENAME should have no effect.
> This also doesn't really affect third-party auth methods. If I'm bound
> as pchampion(at)EXAMPLE(dot)COM and a superuser changes my username to tlane,
> you _definitely_ don't want to see my authenticated identity change to
> tlane(at)EXAMPLE(dot)COM(dot) That's not who I am.
Ah. So basically, this comes into play when you consider that some
outside-the-database entity is your "real" authenticated identity.
That seems reasonable when using Kerberos or the like, though it's
not real meaningful for traditional password-type authentication.
I'd misunderstood your point before.
So, if we store this "real" identity, is there any security issue
involved in exposing it to other users (via pg_stat_activity or
whatever)?
I remain concerned about the cost and inconvenience of exposing
it via log_line_prefix, but at least that shouldn't be visible
to anyone who's not entitled to know who's logged in ...
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Geoghegan | 2021-01-29 23:45:27 | Re: Should we make Bitmapsets a kind of Node? |
Previous Message | Jacob Champion | 2021-01-29 23:33:02 | Re: Proposal: Save user's original authenticated identity for logging |