Re: Proposal: Save user's original authenticated identity for logging

Greetings,

* Jacob Champion (pchampion(at)vmware(dot)com) wrote:
> On Mon, 2021-02-01 at 17:01 -0500, Stephen Frost wrote:
> > * Jacob Champion (pchampion(at)vmware(dot)com) wrote:
> > > And I'm not holding
> > > my breath for LDAP servers to start implementing federated identity,
> > > though that would be nice.
> >
> > Not sure exactly what you're referring to here but AD already provides
> > Kerberos with cross-domain trusts (aka forests). The future is here..?
> > :)
>
> If the end user is actually using LDAP-on-top-of-AD, and comfortable
> administering the Kerberos-related pieces of AD so that their *nix
> servers and users can speak it instead, then sure. But I continue to
> hear about customers who don't fit into that mold. :D Enough that I
> have to keep an eye on the "pure" LDAP side of things, at least.

I suppose it's likely that I'll continue to run into people who are
horrified to learn that they've been using pass-the-password auth thanks
to using ldap.

> > > To double-check -- since giving this ability to the pg_read_all_stats
> > > role would expand its scope -- could that be dangerous for anyone?
> >
> > I don't agree that this really expands its scope- in fact, you'll see
> > that the GSSAPI and SSL user authentication information is already
> > allowed under HAS_PGSTAT_PERMISSIONS().
>
> Ah, so they are. :) I think that's the way to go, then.

Ok.. but what's 'go' mean here? We already have views and such for GSS
and SSL, is the idea to add another view for LDAP and add in columns
that are returned by pg_stat_get_activity() which are then pulled out by
that view? Or did you have something else in mind?

Thanks,

Stephen