Re: SYSTEM_USER reserved word implementation

Drouvot, Bertrand <bdrouvot@amazon.com>

From: "Drouvot, Bertrand" <bdrouvot@amazon.com>
To: Jacob Champion <jchampion@timescale.com>, Joe Conway <mail@joeconway.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2022-06-23T08:06:43Z
Lists: pgsql-hackers
Hi,

On 6/22/22 5:35 PM, Jacob Champion wrote:
> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail@joeconway.com> wrote:
>> On the contrary, I would argue that not having the identifier for the
>> external "user" available is a security concern. Ideally you want to be
>> able to trace actions inside Postgres to the actual user that invoked them.
> If auditing is also the use case for SYSTEM_USER, you'll probably want
> to review the arguments for making it available to parallel workers
> that were made in the other thread [1].

Thanks Jacob for your feedback.

I did some testing initially around the parallel workers and did not see 
any issues at that time.

I just had another look and I agree that the parallel workers case needs 
to be addressed.

I'll have a closer look to what you have done in [1].

Thanks

Bertrand

[1]https://www.postgresql.org/message-id/flat/793d990837ae5c06a558d58d62de9378ab525d83.camel%40vmware.com




Commits

  1. Introduce SYSTEM_USER

  2. Add some information about authenticated identity via log_connections