Re: primary_conninfo missing from pg_stat_wal_receiver

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>, Michael Paquier <michael.paquier@gmail.com>
Cc: Tatsuo Ishii <ishii@postgresql.org>, vik@2ndquadrant.fr, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Masao Fujii <masao.fujii@gmail.com>
Date: 2016-06-21T03:00:07Z
Lists: pgsql-hackers
On 6/20/16 10:29 PM, Tom Lane wrote:
> What I would want to know is whether this specific change is actually a
> good idea.  In particular, I'm concerned about the possible security
> implications of exposing primary_conninfo --- might it not contain a
> password, for example?

That would have been my objection.  This was also mentioned in the 
context of moving recovery.conf settings to postgresql.conf, because 
then the password would become visible in SHOW commands and the like.

We would need a way to put the password in a separate place, like a 
primary_conn_password setting.  Yes, you can already use .pgpass for 
that, but since pg_basebackup -R will happily copy a password out of 
.pgpass into recovery.conf, this makes accidentally leaking passwords 
way too easy.

Alternatively or additionally, implement a way to strip passwords out of 
conninfo information.  libpq already has information about which 
connection items are sensitive.

Needs more thought, in any case.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Commits

  1. Add conninfo to pg_stat_wal_receiver

  2. Only show pg_stat_replication details to superusers