Re: Proposal: Save user's original authenticated identity for logging

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Jacob Champion <pchampion@vmware.com>, "sfrost@snowman.net" <sfrost@snowman.net>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-01-31T15:49:41Z
Lists: pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes:
> On Sat, Jan 30, 2021 at 12:40 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I remain concerned about the cost and inconvenience of exposing
>> it via log_line_prefix, but at least that shouldn't be visible
>> to anyone who's not entitled to know who's logged in ...

> What if we logged it as part of log_connection=on, but only there and
> only once? It could still be traced through the rest of that sessions
> logging using the fields identifying the session, and we'd only end up
> logging it once.

I'm certainly fine with including this info in the log_connection output.
Perhaps it'd also be good to have a superuser-only column in
pg_stat_activity, or some other restricted way to get the info from an
existing session.  I doubt we really want a log_line_prefix option.

			regards, tom lane



Commits

  1. Add missing $Test::Builder::Level settings

  2. Add some information about authenticated identity via log_connections

  3. Fix some issues with SSL and Kerberos tests

  4. Refactor all TAP test suites doing connection checks