Re: Proposal: Save user's original authenticated identity for logging
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jacob Champion <pchampion@vmware.com>
Cc: "sfrost@snowman.net" <sfrost@snowman.net>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-01-29T23:40:34Z
Lists: pgsql-hackers
Jacob Champion <pchampion@vmware.com> writes: > On Fri, 2021-01-29 at 17:30 -0500, Tom Lane wrote: >> What happens if ALTER USER RENAME is done while the session is still >> alive? > IMO the authenticated identity should be write-once. Especially since > one of my goals is to have greater auditability into events as they've > actually happened. So ALTER USER RENAME should have no effect. > This also doesn't really affect third-party auth methods. If I'm bound > as pchampion@EXAMPLE.COM and a superuser changes my username to tlane, > you _definitely_ don't want to see my authenticated identity change to > tlane@EXAMPLE.COM. That's not who I am. Ah. So basically, this comes into play when you consider that some outside-the-database entity is your "real" authenticated identity. That seems reasonable when using Kerberos or the like, though it's not real meaningful for traditional password-type authentication. I'd misunderstood your point before. So, if we store this "real" identity, is there any security issue involved in exposing it to other users (via pg_stat_activity or whatever)? I remain concerned about the cost and inconvenience of exposing it via log_line_prefix, but at least that shouldn't be visible to anyone who's not entitled to know who's logged in ... regards, tom lane
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed