| From: | David Steele <david(at)pgmasters(dot)net> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com> |
| Subject: | Re: PostgreSQL Audit Extension |
| Date: | 2016-02-19 16:20:13 |
| Message-ID: | 56C740BD.1050303@pgmasters.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2/19/16 10:54 AM, Alvaro Herrera wrote:
> Bruce Momjian wrote:
>
>> Understood. My point is that there is a short list of read events, and
>> many DDL events. We have already hesitated to record DDL changes for
>> logical replication because of the code size, maintenance overhead, and
>> testing required.
>
> DDL is already captured using the event triggers mechanism (which is
> what it was invented for in the first place). The only thing we don't
> have is a hardcoded mechanism to transform it from C struct format to
> SQL language.
Since DDL event triggers only cover database-level DDL they miss a lot
that is very important to auditing, e.g. CREATE/ALTER/DROP ROLE,
GRANT/REVOKE, CREATE/ALTER/DROP DATABASE, etc.
I would like to see a general mechanism that allows event triggers,
logical replication, and audit to all get the information they need
without them being tied to each other directly.
--
-David
david(at)pgmasters(dot)net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2016-02-19 16:20:31 | Re: PostgreSQL Audit Extension |
| Previous Message | Evan Rempel | 2016-02-19 16:19:13 | Re: 9.5 new setting "cluster name" and logging |