Re: More detailed auth info

On Fri, Jan 21, 2011 at 10:14 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>> I came across a case this week where I wanted to be able to determine
>>> more detailed auth information on already logged in sessions - not
>>> from the client, but from the server. In this specific case, I wanted
>>> to examine the "is ssl" flag on the connection. But I can see other
>>> things being interesting, such as which user is on the other end (when
>>> pg_ident is in use), more detailed SSL information, full kerberos
>>> principal when kerberos in use etc.
>>
>>> I doubt this is common enough to want to stick it in pg_stat_activity
>>> though, but what do people think? And if not there, as a separate view
>>> or just as a function to call (e.g.
>>> pg_get_detailed_authinfo(<backendpid>))
>>
>> By and large, it's been thought to be a possible security hole to expose
>> such information, except possibly in the postmaster log.  I'm certainly
>> *not* in favor of creating a view for it.
>
> Well, it would obviously be superuser only.

What if the user's password is in their connection string?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company