From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: More detailed auth info |
Date: | 2011-01-21 15:32:15 |
Message-ID: | AANLkTinVn=sV_g-N-=_ZT3NnTGdBxFBCxm6whxT6UatO@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Jan 21, 2011 at 10:14 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>> I came across a case this week where I wanted to be able to determine
>>> more detailed auth information on already logged in sessions - not
>>> from the client, but from the server. In this specific case, I wanted
>>> to examine the "is ssl" flag on the connection. But I can see other
>>> things being interesting, such as which user is on the other end (when
>>> pg_ident is in use), more detailed SSL information, full kerberos
>>> principal when kerberos in use etc.
>>
>>> I doubt this is common enough to want to stick it in pg_stat_activity
>>> though, but what do people think? And if not there, as a separate view
>>> or just as a function to call (e.g.
>>> pg_get_detailed_authinfo(<backendpid>))
>>
>> By and large, it's been thought to be a possible security hole to expose
>> such information, except possibly in the postmaster log. I'm certainly
>> *not* in favor of creating a view for it.
>
> Well, it would obviously be superuser only.
What if the user's password is in their connection string?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2011-01-21 15:33:53 | Re: Sync Rep for 2011CF1 |
Previous Message | Tom Lane | 2011-01-21 15:32:01 | Re: SSI and Hot Standby |