| From: | "Colin 't Hart" <colinthart(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL General <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Using pgAudit to audit interesting tables for all users except for batch user? |
| Date: | 2025-11-18 09:17:44 |
| Message-ID: | CAMon-aRf-XS+wVEnVvP58GtojYENywx+s9pUjwz5omADdLP1NA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi,
One of my clients has some tables that contain sensitive data. These are
modified regularly by batch jobs, and then the data is transformed and
summary information appended to other tables (fairly typical datawarehouse).
For these sensitive tables they would like to add auditing of all activity
-- but not for the batch user as that would just blow up the logs, and we
should be able to adequately prevent access to the batch user.
Is there any way we can achieve this?
I tried using a role, registering that with
alter system set pgaudit.role = <auditrole>;
and doing
grant select,insert,update,delete
on <sensetivetable>
to <auditrole>;
After that all operations on that table ended up audited in the log, as
expected.
Then I did
alter user <batchuser> set pgaudit.log to 'none';
but after that operations when logged in as <batchuser> still ended up
being audited.
What am I missing?
Is what I'm trying even possible? Or is there another way to achieve our
requirements?
This issue https://github.com/issues/recent?issue=pgaudit%7Cpgaudit%7C73
seems to indicate that it's possible, but I'm struggling to understand how.
Thanks,
Colin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Sabino Mullane | 2025-11-18 15:10:46 | Re: Using pgAudit to audit interesting tables for all users except for batch user? |
| Previous Message | Bruce Momjian | 2025-11-18 03:07:30 | Re: postgres in swap space |