Re: SYSTEM_USER reserved word implementation
Drouvot, Bertrand <bdrouvot@amazon.com>
From: "Drouvot, Bertrand" <bdrouvot@amazon.com>
To: Jacob Champion <jchampion@timescale.com>, Joe Conway <mail@joeconway.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2022-06-24T09:49:23Z
Lists: pgsql-hackers
Attachments
- v2-0001-system_user-implementation.patch (text/plain) patch v2-0001
Hi, On 6/23/22 10:06 AM, Drouvot, Bertrand wrote: > Hi, > > On 6/22/22 5:35 PM, Jacob Champion wrote: >> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail@joeconway.com> wrote: >>> On the contrary, I would argue that not having the identifier for the >>> external "user" available is a security concern. Ideally you want to be >>> able to trace actions inside Postgres to the actual user that >>> invoked them. >> If auditing is also the use case for SYSTEM_USER, you'll probably want >> to review the arguments for making it available to parallel workers >> that were made in the other thread [1]. > > Thanks Jacob for your feedback. > > I did some testing initially around the parallel workers and did not > see any issues at that time. > > I just had another look and I agree that the parallel workers case > needs to be addressed. > > I'll have a closer look to what you have done in [1]. > > Thanks > > Bertrand > Please find attached patch version 2. It does contain: - Tom's idea implementation (aka presenting the system_user as auth_method:authn_id) - A fix for the parallel workers issue mentioned by Jacob. The patch now propagates the SYSTEM_USER to the parallel workers. - Doc updates - Tap tests (some of them are coming from [1]) Looking forward to your feedback, Thanks Bertrand [1] https://www.postgresql.org/message-id/flat/793d990837ae5c06a558d58d62de9378ab525d83.camel%40vmware.com
Commits
-
Introduce SYSTEM_USER
- 0823d061b0b7 16.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 cited