| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: restrict pg_stat_ssl to superuser? |
| Date: | 2019-02-21 18:56:31 |
| Message-ID: | 6f3b99c1-39df-857d-32ce-22c41beaff51@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-02-21 09:11, Michael Paquier wrote:
> On Wed, Feb 20, 2019 at 11:51:08AM +0100, Peter Eisentraut wrote:
>> So here is a patch doing it the "normal" way of nulling out all the rows
>> the user shouldn't see.
>
> That looks fine to me.
Committed, thanks.
>> I haven't found any documentation of these access restrictions in the
>> context of pg_stat_activity. Is there something that I'm not seeing or
>> something that should be added?
>
> Yes, there is nothing. I agree that it would be good to mention that
> some fields are set to NULL and only visible to superusers or members of
> pg_read_all_stats with a note for pg_stat_activity and
> pg_stat_get_activity(). Here is an idea:
> "Backend and SSL information are restricted to superusers and members
> of the <literal>pg_read_all_stats</literal> role. Access may be
> granted to others using <command>GRANT</command>.
>
> Getting that back-patched would be nice where pg_read_all_stats was
> introduced.
I added something. I don't know if it's worth backpatching. This
situation goes back all the way to when pg_stat_activity was added.
pg_read_all_stats does have documentation, it's just not linked from
everywhere.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gilles Darold | 2019-02-21 19:16:27 | Re: [patch] Add schema total size to psql \dn+ |
| Previous Message | Paul Ramsey | 2019-02-21 18:50:36 | Re: Compressed TOAST Slicing |