| From: | Yeb Havinga <yebhavinga(at)gmail(dot)com> |
|---|---|
| To: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, MauMau <maumau307(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2015-02-17 09:40:36 |
| Message-ID: | 54E30C94.7010804@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi list,
On 20/01/15 23:03, Jim Nasby wrote:> On 1/20/15 2:20 PM, Robert Haas wrote:
>> On Tue, Jan 20, 2015 at 1:05 AM, Abhijit
>> Menon-Sen<ams(at)2ndquadrant(dot)com> wrote:
>>> >So when I'm trying to decide what to audit, I have to:
>>> >
>>> > (a) check if the current user is mentioned in .roles; if so,
>>> audit.
>>> >
>>> > (b) check if the current user is a descendant of one of the roles
>>> > mentioned in .roles; if not, no audit.
>>> >
>>> > (c) check for permissions granted to the "root" role and see if
>>> that
>>> > tells us to audit.
>>> >
>>> >Is that right? If so, it would work fine. I don't look forward to
>>> trying
>>> >to explain it to people, but yes, it would work (for anything you could
>>> >grant permissions for).
>> I think this points to fundamental weakness in the idea of doing this
>> through the GRANT system. Some people are going want to audit
>> everything a particular user does, some people are going to want to
>> audit all access to particular objects, and some people will have more
>> complicated requirements. Some people will want to audit even
>> super-users, others especially super-users, others only non
>> super-users. None of this necessarily matches up to the usual
>> permissions framework.
>
> +1. In particular I'm very concerned with the idea of doing this via
> roles, because that would make it trivial for any superuser to disable
> auditing.
Rejecting the audit administration through the GRANT system, on the
grounds that it easy for the superuser to disable it, seems unreasonable
to me, since superusers are different from non-superusers in a
fundamental way.
The superuser operates on the administration level of the database, in
contrast with users that need access to the actual information in the
data to perform their job. An organization that wants to implement an
auditing strategy needs to think in different terms to audit
user/application level actions, and administrator/superuser actions.
Consequently it should be no surprise when PostgreSQL mechanisms for
auditing behave different for superusers vs non superusers.
The patch as it is, is targeted at auditing user/application level
access to the database, and as such it matches the use case of auditing
user actions.
Auditing superuser access means auditing beyond the running database.
The superuser can dump a table, and pipe this data everywhere outside of
the auditing domain. I cannot begin to imagine the kind of security
restrictions you'd need to audit what happens with data after libpq has
produced the results. My best guess would be to incorporate some kind of
separation of duty mechanism; only allow certain superuser operations
with two people involved.
regards,
Yeb Havinga
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro HORIGUCHI | 2015-02-17 10:45:19 | Re: pg_basebackup may fail to send feedbacks. |
| Previous Message | happy times | 2015-02-17 09:40:14 | Re: restrict global access to be readonly |