Re: Proposal: Save user's original authenticated identity for logging
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2021-01-30T00:10:59Z
Lists: pgsql-hackers
On Fri, 2021-01-29 at 18:40 -0500, Tom Lane wrote: > Ah. So basically, this comes into play when you consider that some > outside-the-database entity is your "real" authenticated identity. > That seems reasonable when using Kerberos or the like, though it's > not real meaningful for traditional password-type authentication. Right. > So, if we store this "real" identity, is there any security issue > involved in exposing it to other users (via pg_stat_activity or > whatever)? I think that could be a concern for some, yeah. Besides being able to get information on other logged-in users, the ability to connect an authenticated identity to a username also gives you some insight into the pg_hba configuration. --Jacob
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed