Re: Information of pg_stat_ssl visible to all users

On 2015-07-07 12:03:36 -0400, Peter Eisentraut wrote:
> I think the DN is analogous to the remote user name, which we don't
> expose for any of the other authentication methods.

Huh?

Datum
pg_stat_get_activity(PG_FUNCTION_ARGS)
{    /* Values available to all callers */    values[0] = ObjectIdGetDatum(beentry->st_databaseid);    values[1] =
Int32GetDatum(beentry->st_procpid);   values[2] = ObjectIdGetDatum(beentry->st_userid);
 
...

Isn't that like, essentially, all of them? Sure, if you have a ident
mapping set up, then not, but I have a hard time seing that as a
relevant use case.

> I think the default approach for security and authentication related
> information should be conservative, even if there is not a specific
> reason.  Or to put it another way: What is the motivation for showing
> this information at all?

That we already show equivalent information and that hiding it from
another place will just be crufty and make monitoring setups more
complex.

Greetings,

Andres Freund