| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Matheus Alcantara <matheusssilv97(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Redact user password on pg_stat_statements |
| Date: | 2025-02-21 16:08:11 |
| Message-ID: | 3134386.1740154091@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Matheus Alcantara <matheusssilv97(at)gmail(dot)com> writes:
> Attached a patch to redact the password value from pg_stat_statements_view when
> executing:
> { CREATE|ALTER} {USER|ROLE|GROUP } identifier { [WITH] [ENCRYPTED]
> PASSWORD 'value' }
Please see previous threads about hiding this sort of information,
most recently [1]. It's a slippery slope for which there are no
real fixes, and even partial fixes like this one are horrid kluges.
One obvious objection to the direction you propose here is that it
does nothing for pg_stat_activity, nor for the server log if
log_statement is enabled.
The right answer is to never send cleartext passwords to the server
in the first place.
regards, tom lane
[1] https://www.postgresql.org/message-id/flat/18817-771682052a364bfe%40postgresql.org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2025-02-21 16:15:50 | Re: GetRelationPath() vs critical sections |
| Previous Message | Andrew Dunstan | 2025-02-21 16:04:49 | Re: TAP test started using meson, can get a tcp port already used by another test. |