Re: Proposal: Save user's original authenticated identity for logging
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Jacob Champion <pchampion@vmware.com>,
"sfrost@snowman.net" <sfrost@snowman.net>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-01-31T15:49:41Z
Lists: pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes: > On Sat, Jan 30, 2021 at 12:40 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I remain concerned about the cost and inconvenience of exposing >> it via log_line_prefix, but at least that shouldn't be visible >> to anyone who's not entitled to know who's logged in ... > What if we logged it as part of log_connection=on, but only there and > only once? It could still be traced through the rest of that sessions > logging using the fields identifying the session, and we'd only end up > logging it once. I'm certainly fine with including this info in the log_connection output. Perhaps it'd also be good to have a superuser-only column in pg_stat_activity, or some other restricted way to get the info from an existing session. I doubt we really want a log_line_prefix option. regards, tom lane
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed