| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: Proposal: Save user's original authenticated identity for logging |
| Date: | 2021-01-30 00:10:59 |
| Message-ID: | c6474caf44f21188651a21f23045128816731e30.camel@vmware.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 2021-01-29 at 18:40 -0500, Tom Lane wrote:
> Ah. So basically, this comes into play when you consider that some
> outside-the-database entity is your "real" authenticated identity.
> That seems reasonable when using Kerberos or the like, though it's
> not real meaningful for traditional password-type authentication.
Right.
> So, if we store this "real" identity, is there any security issue
> involved in exposing it to other users (via pg_stat_activity or
> whatever)?
I think that could be a concern for some, yeah. Besides being able to
get information on other logged-in users, the ability to connect an
authenticated identity to a username also gives you some insight into
the pg_hba configuration.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bharath Rupireddy | 2021-01-30 00:28:19 | Re: [PATCH] postgres_fdw connection caching - cause remote sessions linger till the local session exit |
| Previous Message | Tom Lane | 2021-01-30 00:01:02 | Re: Should we make Bitmapsets a kind of Node? |