Re: Permission select pg_stat_replication

From: "Gilberto Castillo" <gilberto(dot)castillo(at)etecsa(dot)cu>
To: "Stephen Frost" <sfrost(at)snowman(dot)net>
Cc: "Gilberto Castillo" <gilberto(dot)castillo(at)etecsa(dot)cu>, jesse(dot)waters(at)gmail(dot)com, pgsql-admin(at)postgresql(dot)org
Subject: Re: Permission select pg_stat_replication
Date: 2015-03-31 14:47:45
Message-ID: 46016.192.168.207.54.1427813265.squirrel@webmail.etecsa.cu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-hackers

> Gilberto,
>
> * Gilberto Castillo (gilberto(dot)castillo(at)etecsa(dot)cu) wrote:
>> > * Gilberto Castillo (gilberto(dot)castillo(at)etecsa(dot)cu) wrote:
>> >> > * jesse(dot)waters(at)gmail(dot)com (jesse(dot)waters(at)gmail(dot)com) wrote:
>> >> >> Could someone tell me what permission is required to
>> >> >> select * from pg_stat_replication; ?
>> >> >
>> >> > Currently, you're required to have superuser rights.
>> >> >
>> >> >> I like to setup a monitor to query database with minimal
>> privileges
>> >> >> necessary.
>> >> >
>> >> > I agree 110% and am actively working to fix exactly this issue. I
>> >> hope
>> >> > to have a patch in the next day or so which will allow you to GRANT
>> >> > rights to such a monitor user which will allow that user to see all
>> >> the
>> >> > contents of pg_stat_replication.
>> >> >
>> >> > One thing which would be really great is if you have time to test
>> with
>> >> > the patch I'm working up (it's against 9.5, but this is strictly
>> >> > functionality testing and should be just in in a dev/test
>> environment,
>> >> > I wouldn't suggest running 9.5 in production, of course!).
>> > [...]
>> >> SET SESSION AUTHORIZATION postgres;
>> >>
>> >> GRANT SELECT ON pg_stat_replication TO usuario1;
>> >
>> > This is (essentially) what I'm hoping to enable. Note that this won't
>> > do anything for you today as the view is already available to all
>> users
>> > on the system and it's actually the function underneath which is
>> > filtering the result set.
>>
>> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO
>> usuario1;
>>
>> Nor does it work?
>
> No. Feel free to try, but there's an explicit check in the C code which
> is what the SQL-level function that's under the view is calling. In
> current 9.5/master, at least, it's at:
>
> src/backend/replication/walsender.c:2797
>
> if (!superuser())
> {
> /*
> * Only superusers can see details. Other users only get the
> pid
> * value to know it's a walsender, but no details.
> */
> MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1);
> }
>

Thanks Stephen for you information.

Rgds,
Gilberto Castillo
La Habana, Cuba

Attachment Content-Type Size
unknown_filename text/plain 179 bytes

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Gilberto Castillo 2015-03-31 15:59:11 Re: Catalog permissions
Previous Message Gilberto Castillo 2015-03-31 14:42:06 Re: Permission select pg_stat_replication

Browse pgsql-hackers by date

  From Date Subject
Next Message David Fetter 2015-03-31 15:10:37 Re: Bug fix for missing years in make_date()
Previous Message Gilberto Castillo 2015-03-31 14:42:06 Re: Permission select pg_stat_replication