Joshua,
* Joshua Warburton (j.warburton@irax.com) wrote:
> I'm authenticating to postgres using GSSAPI and (for audit reasons)
> I need to be able to log the principle name that connects as well as
> the username it is mapped to. Is there any way I can get postgres to
> log this without cranking up the log level for everything?
Not easily, I don't think. The Kerberos logs should be able to tell you
every postgres/HOST@REALM ticket which is issued and while that's not
great it's at least something.
Another option is to just use the full princ *as* the PG username, which
works fine but can be a bit annoying when you're trying to GRANT
permissions, etc (I'd suggest using a lot of roles :).
Improving this has been one of those things that I've wanted to do for a
long time... Probably by just adding the "System Username" or similar
to the "connection authorized" log message. Would that work for your
need..?
Thanks,
Stephen