| From: | Greg Sabino Mullane <htamfids(at)gmail(dot)com> |
|---|---|
| To: | Sami Imseih <samimseih(at)gmail(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter(at)eisentraut(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Matheus Alcantara <matheusssilv97(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Redact user password on pg_stat_statements |
| Date: | 2025-02-25 16:26:03 |
| Message-ID: | CAKAnmmLyAMqSi0PUgOR4UsaF4xEkKWaqzS=GMOdbe6sDQecf4Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Feb 25, 2025 at 10:12 AM Sami Imseih <samimseih(at)gmail(dot)com> wrote:
> > What about a more general solution, such as a flag to turn off logging
> of ALTER ROLE statements completely?
>
> IMO, flags for a specific type of utility statement seems way too much for
> pg_stat_statements, and this will also not completely prevent leaking plain
> text passwords from all ways that CREATE/ALTER ROLE could be run, i.e. DO
> blocks, inside functions/procs with track=all.
>
Well sure, but best effort is better than no effort at all. Preventing
CREATE/ALTER will catch 99% of items, and as I advocated, there really is
no reason for them to be in pg_stat_statements in the first place.
> The clients that set passwords could simply turn off track_utility on a
> user/transaction level while they are performing the action with
> sensitive data.
>
Good point, but that relies on the client to do the right thing, and
requires two extra steps.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | James Hunter | 2025-02-25 16:30:17 | Re: Adjusting hash join memory limit to handle batch explosion |
| Previous Message | David Steele | 2025-02-25 16:25:40 | Re: Fix logging for invalid recovery timeline |