Re: restrict pg_stat_ssl to superuser?
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-02-21T18:56:31Z
Lists: pgsql-hackers
On 2019-02-21 09:11, Michael Paquier wrote: > On Wed, Feb 20, 2019 at 11:51:08AM +0100, Peter Eisentraut wrote: >> So here is a patch doing it the "normal" way of nulling out all the rows >> the user shouldn't see. > > That looks fine to me. Committed, thanks. >> I haven't found any documentation of these access restrictions in the >> context of pg_stat_activity. Is there something that I'm not seeing or >> something that should be added? > > Yes, there is nothing. I agree that it would be good to mention that > some fields are set to NULL and only visible to superusers or members of > pg_read_all_stats with a note for pg_stat_activity and > pg_stat_get_activity(). Here is an idea: > "Backend and SSL information are restricted to superusers and members > of the <literal>pg_read_all_stats</literal> role. Access may be > granted to others using <command>GRANT</command>. > > Getting that back-patched would be nice where pg_read_all_stats was > introduced. I added something. I don't know if it's worth backpatching. This situation goes back all the way to when pg_stat_activity was added. pg_read_all_stats does have documentation, it's just not linked from everywhere. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Hide other user's pg_stat_ssl rows
- f9692a769b16 12.0 landed
-
doc: Add security information about pg_stat_activity
- 213eae9b8a8a 12.0 landed