Re: Proposal: Save user's original authenticated identity for logging
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>, "sfrost@snowman.net" <sfrost@snowman.net>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-01-29T23:33:02Z
Lists: pgsql-hackers
On Fri, 2021-01-29 at 17:30 -0500, Tom Lane wrote: > What happens if ALTER USER RENAME is done while the session is still > alive? IMO the authenticated identity should be write-once. Especially since one of my goals is to have greater auditability into events as they've actually happened. So ALTER USER RENAME should have no effect. This also doesn't really affect third-party auth methods. If I'm bound as pchampion@EXAMPLE.COM and a superuser changes my username to tlane, you _definitely_ don't want to see my authenticated identity change to tlane@EXAMPLE.COM. That's not who I am. So the potential confusion would come into play with first-party authn. From an audit perspective, I think it's worth it. I did authenticate as pchampion, not tlane. > More generally, exposing this in log_line_prefix seems like an awfully > narrow-minded view of what people will want it for. I'd personally > think pg_stat_activity a better place to look, for example. > [...] > Yeah, this seems like about the most expensive way that we could possibly > choose to make the info available. I'm happy as long as it's _somewhere_. :D It's relatively easy to expose a single location through multiple avenues, but currently there is no single location. --Jacob
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed