| From: | Zhihong Yu <zyu(at)yugabyte(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: redacting password in SQL statement in server log |
| Date: | 2022-07-24 11:33:59 |
| Message-ID: | CALNJ-vRQB81F9Q9V+oDPsCTF-+0o_xR3=7_GAZfyg2sEaEfQJA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Jul 23, 2022 at 5:27 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Zhihong Yu <zyu(at)yugabyte(dot)com> writes:
> > Currently, in situation such as duplicate role creation, the server log
> > would show something such as the following:
>
> > 2022-07-22 13:48:18.251 UTC [330] STATEMENT: CREATE ROLE test WITH LOGIN
> > PASSWORD 'foobar';
>
> > The password itself should be redacted before logging the statement.
>
> This has been proposed multiple times, and rejected multiple times,
> primarily because it offers only false security: you'll never cover
> all the cases. (The proposed patch manages to create a bunch of
> false positives to go along with its false negatives, too.)
>
> The only safe answer is to be sure to keep the server log contents
> secure. Please see prior discussions in the archives.
>
> regards, tom lane
>
Hi,
I am thinking of adding `if not exists` to `CREATE ROLE` statement:
CREATE ROLE trustworthy if not exists;
In my previous example, if the user can issue the above command, there
would be no SQL statement logged.
Do you think it is worth adding `if not exists` clause ?
Thanks
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Julien Rouhaud | 2022-07-24 11:44:49 | Re: redacting password in SQL statement in server log |
| Previous Message | Julien Rouhaud | 2022-07-24 11:12:52 | Re: Schema variables - new implementation for Postgres 15 |