From: | Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de> |
Cc: | sirisha chamarthi <sirichamarthi22(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions |
Date: | 2022-11-22 05:43:22 |
Message-ID: | CALj2ACXa_yS35U2nNVMk89iMQC8m=WTH-Rbbnspmo7jKKzVyng@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Nov 22, 2022 at 2:15 AM Andres Freund <andres(at)anarazel(dot)de> wrote:
>
> Hi,
>
> On 2022-11-21 00:16:20 -0800, sirisha chamarthi wrote:
> > At present, calling pg_stat_reset* functions requires super user access
> > unless explicitly grant execute permission on those. In this thread, I am
> > proposing to grant execute on them to users with pg_monitor role
> > permissions. This comes handy to the monitoring users (part of pg_monitor
> > role) to capture the stats fresh and analyze. Do you see any concerns with
> > this approach?
>
> I think the common assumption is that a monitoring role cannot modify
> the system, but this would change that. Normally a monitoring tool
> should be able to figure out what changed in stats by comparing values
> across time, rather than resetting stats.
+1.
A bit more info: AFAICS, there's no explicit if (!superuser()) {
error;} checks in any of pg_stat_reset* functions, which means, one
can still grant execute permissions on them to anyone (any predefined
roles, non-superusers or other superusers) via a superuser outside of
postgres, if that's the use case [1] [2]. That's the flexibility
postgres provides for some of the system functions but not all. Most
of the extension functions and some core functions pg_nextoid,
pg_stop_making_pinned_objects, pg_rotate_logfile,
pg_import_system_collations, pg_cancel_backend, pg_terminate_backend,
pg_read_file still have such explicit if (!superuser()) { error;}
checks. I'm not sure if it's the right time to remove such explicit
checks and move to explicit GRANT-REVOKE system.
FWIW, here's a recent commit f0b051e322d530a340e62f2ae16d99acdbcb3d05.
[1]
--
-- The default permissions for functions mean that anyone can execute them.
-- A number of functions shouldn't be executable by just anyone, but rather
-- than use explicit 'superuser()' checks in those functions, we use the GRANT
-- system to REVOKE access to those functions at initdb time. Administrators
-- can later change who can access these functions, or leave them as only
-- available to superuser / cluster owner, if they choose.
--
[2]
postgres=# create role foo with nosuperuser;
CREATE ROLE
postgres=# set role foo;
SET
postgres=> select pg_stat_reset();
ERROR: permission denied for function pg_stat_reset
postgres=> reset role;
RESET
postgres=# grant execute on function pg_stat_reset() to foo;
GRANT
postgres=# set role foo;
SET
postgres=> select pg_stat_reset();
pg_stat_reset
---------------
(1 row)
--
Bharath Rupireddy
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
From | Date | Subject | |
---|---|---|---|
Next Message | Bagga, Rishu | 2022-11-22 06:02:10 | Re: SLRUs in the main buffer pool - Page Header definitions |
Previous Message | Pavel Stehule | 2022-11-22 05:30:59 | Re: proposal: possibility to read dumped table's name from file |