Re: SYSTEM_USER reserved word implementation

Hi,

On 6/24/22 2:47 PM, Drouvot, Bertrand wrote:
>
> On 6/24/22 11:49 AM, Drouvot, Bertrand wrote:
>> Hi,
>>
>> On 6/23/22 10:06 AM, Drouvot, Bertrand wrote:
>>> Hi,
>>>
>>> On 6/22/22 5:35 PM, Jacob Champion wrote:
>>>> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
>>>>> On the contrary, I would argue that not having the identifier for the
>>>>> external "user" available is a security concern. Ideally you want
>>>>> to be
>>>>> able to trace actions inside Postgres to the actual user that
>>>>> invoked them.
>>>> If auditing is also the use case for SYSTEM_USER, you'll probably want
>>>> to review the arguments for making it available to parallel workers
>>>> that were made in the other thread [1].
>>>
>>> Thanks Jacob for your feedback.
>>>
>>> I did some testing initially around the parallel workers and did not
>>> see any issues at that time.
>>>
>>> I just had another look and I agree that the parallel workers case
>>> needs to be addressed.
>>>
>>> I'll have a closer look to what you have done in [1].
>>>
>>> Thanks
>>>
>>> Bertrand
>>>
>> Please find attached patch version 2.
>>
>> It does contain:
>>
>> - Tom's idea implementation (aka presenting the system_user as
>> auth_method:authn_id)
>>
>> - A fix for the parallel workers issue mentioned by Jacob. The patch
>> now propagates the SYSTEM_USER to the parallel workers.
>>
>> - Doc updates
>>
>> - Tap tests (some of them are coming from [1])
>>
>> Looking forward to your feedback,
>>
>> Thanks
>>
>> Bertrand
>
> FWIW here is a link to the commitfest entry:
> https://commitfest.postgresql.org/38/3703/
>
> Bertrand
>
Attached a tiny rebase to make the CF bot CompilerWarnings happy.

Bertrand