| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Gilberto Castillo <gilberto(dot)castillo(at)etecsa(dot)cu> |
| Cc: | jesse(dot)waters(at)gmail(dot)com, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Permission select pg_stat_replication |
| Date: | 2015-03-31 13:44:40 |
| Message-ID: | 20150331134440.GL3663@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-hackers |
Gilberto,
* Gilberto Castillo (gilberto(dot)castillo(at)etecsa(dot)cu) wrote:
> > * Gilberto Castillo (gilberto(dot)castillo(at)etecsa(dot)cu) wrote:
> >> > * jesse(dot)waters(at)gmail(dot)com (jesse(dot)waters(at)gmail(dot)com) wrote:
> >> >> Could someone tell me what permission is required to
> >> >> select * from pg_stat_replication; ?
> >> >
> >> > Currently, you're required to have superuser rights.
> >> >
> >> >> I like to setup a monitor to query database with minimal privileges
> >> >> necessary.
> >> >
> >> > I agree 110% and am actively working to fix exactly this issue. I
> >> hope
> >> > to have a patch in the next day or so which will allow you to GRANT
> >> > rights to such a monitor user which will allow that user to see all
> >> the
> >> > contents of pg_stat_replication.
> >> >
> >> > One thing which would be really great is if you have time to test with
> >> > the patch I'm working up (it's against 9.5, but this is strictly
> >> > functionality testing and should be just in in a dev/test environment,
> >> > I wouldn't suggest running 9.5 in production, of course!).
> > [...]
> >> SET SESSION AUTHORIZATION postgres;
> >>
> >> GRANT SELECT ON pg_stat_replication TO usuario1;
> >
> > This is (essentially) what I'm hoping to enable. Note that this won't
> > do anything for you today as the view is already available to all users
> > on the system and it's actually the function underneath which is
> > filtering the result set.
>
> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO
> usuario1;
>
> Nor does it work?
No. Feel free to try, but there's an explicit check in the C code which
is what the SQL-level function that's under the view is calling. In
current 9.5/master, at least, it's at:
src/backend/replication/walsender.c:2797
if (!superuser())
{
/*
* Only superusers can see details. Other users only get the pid
* value to know it's a walsender, but no details.
*/
MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1);
}
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gilberto Castillo | 2015-03-31 14:29:44 | Re: Permission select pg_stat_replication |
| Previous Message | Stephen Frost | 2015-03-31 13:31:30 | Re: Permission select pg_stat_replication |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2015-03-31 14:02:55 | Re: INSERT ... ON CONFLICT IGNORE (and UPDATE) 3.0 |
| Previous Message | Stephen Frost | 2015-03-31 13:31:30 | Re: Permission select pg_stat_replication |