From: | Craig Ringer <ringerc(at)ringerc(dot)id(dot)au> |
---|---|
To: | "Gauthier, Dave" <dave(dot)gauthier(at)intel(dot)com> |
Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Can I track DB connections through a generic acct on the basis of linux idsid |
Date: | 2011-11-01 04:35:26 |
Message-ID: | 4EAF770E.6090808@ringerc.id.au |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 01/11/11 09:23, Gauthier, Dave wrote:
>
> Is there a way to pass the info (idsid, app, site) to the perl/dbi
> connection string and get this info reported in the deamon runlog
> somehow?
>
In newer versions of Pg you can use the application ID field. It's still
likely going to be another network round-trip for the DBI driver to set
this behind the scenes, though.
> How about "raise notice"? Could that be made to work somehow?
>
Sure, but again you'll still have to send the data to the server, so you
might as well just INSERT it into a log table.
It sounds like you want to send some custom info as part of the initial
connection. Honestly, I wouldn't worry too much about this. If you
examine the connection setup using a protocol analyser like wireshark,
you're likely to see a bit of client/server chat between the server and
DBI driver already. Adding to this slightly shouldn't matter very much.
Try it and see how much impact it actually has.
> OK, having said all that, a completely different tact... There are
> 1468 potential users (idsids) out there that can query the DB. Does
> it make sense to create a DB user for each of those, giving them all
> the same access through a role or something, and then attacking the
> problem from that direction? Is 1468 impractical?
>
To me, it's more than you'd have to maintain them. Having server-side
user identity is great for when you're doing trigger-based auditing and
the like, but it can be a pain to keep up to date with other user info
elsewhere. Binding Pg to an LDAP directory or the like can help, but
isn't completely transparent and can be more hassle than it saves.
--
Craig Ringer
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2011-11-01 04:41:37 | Re: |
Previous Message | Tom Lane | 2011-11-01 04:12:34 | Re: does reindex need exclusive table access? |