| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Information of pg_stat_ssl visible to all users |
| Date: | 2015-07-08 00:08:49 |
| Message-ID: | CAB7nPqSQqhoLwt2xyOzuQkCws1--q56uk5bK_8Ryu3w3WZxubw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jul 8, 2015 at 3:29 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Josh Berkus (josh(at)agliodbs(dot)com) wrote:
>> On 07/07/2015 09:06 AM, Magnus Hagander wrote:
>> >
>> > To make it accessible to monitoring systems that don't run as superuser
>> > (which should be most monitoring systems, but we have other cases making
>> > that hard as has already been mentioned upthread).
>> >
>> > I'm having a hard time trying to figure out a consensus in this thread.
>> > I think there are slightly more arguments for limiting the access though.
>> >
>> > The question then is, if we want to hide everything, do we care about
>> > doing the "NULL dance", or should we just throw an error for
>> > non-superusers trying to access it?
>>
>> I'm going to vote against blocking the entire view for non-superusers.
>> One of the things people will want to monitor is "are all connection
>> from subnet X using SSL?" which is most easily answered by joining
>> pg_stat_activity and pg_stat_ssl.
>>
>> If we force users to use superuser privs to find this out, then we're
>> encouraging them to run monitoring as superuser, which is something we
>> want to get *away* from.
>
> I agree with all of this, but I'm worried that if we make it available
> now then we may not be able to hide it later, even once we have the
> monitoring role defined, because of backwards compatibility concerns.
>
> If we aren't worried about that, then perhaps we can leave it less
> strict for 9.5 and then make it stricter for 9.6.
Agreed. It is better to make things strict first and relax afterwards
from the user prospective, so I would vote for something in this
direction. We could relax it with this monitoring ACL afterwards in
9.6, still what I think we are missing here are reactions from the
field, and I suspect that taking the most careful approach (hiding a
maximum of fields to non-authorized users) will pay better in the long
term. I am also suspecting that if we let it as-is cloud deployments
of Postgres (Heroku for example) are going to patch this view with ACL
checks.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rowley | 2015-07-08 00:29:38 | Re: Performance improvement for joins where outer side is unique |
| Previous Message | Michael Paquier | 2015-07-08 00:00:27 | Re: Improving regression tests to check LOCK TABLE and table permissions |