Re: Log operating system user connecting via unix socket
| От | Stephen Frost |
|---|---|
| Тема | Re: Log operating system user connecting via unix socket |
| Дата | |
| Msg-id | 20160117170701.GD3685@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: Log operating system user connecting via unix socket (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Log operating system user connecting via unix socket
|
| Список | pgsql-hackers |
Tom, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > Stephen Frost <sfrost@snowman.net> writes: > > What I think we really want here is logging of the general 'system > > user' for all auth methods instead of only for the 'peer' method. > > Well, we don't really know that except in a small subset of auth > methods. I agree that when we do know it, it's useful info to log. Right. > My big beef with the proposed patch is that the log message is emitted > unconditionally. There are lots and lots of users who feel that during > normal operation, *zero* log messages should get emitted. Those villagers > would be on our doorsteps with pitchforks if we shipped this patch as-is. Agreed. > I would propose that this information should be emitted only when > log_connections is enabled, and indeed that it should be part of the > log_connections message not a separate message. So this leads to > thinking that somehow, the code for individual auth methods should > be able to return an "additional info" field for inclusion in > log_connections. We already have such a concept for auth failures, > cf commit 5e0b5dcab. Apologies if it wasn't clear, but that's exactly what I was suggesting by saying to add it to PerformAuthentication, which is where we emit the connection info when log_connections is enabled. > > ... and also make it available in pg_stat_activity. > > That's moving the goalposts quite a bit, and I'm not sure it's necessary > or even desirable. Let's just get this added to log_connections output, > and then see if there's field demand for more. This was in context of peer_cn, which is just a specific "system user" value and which we're already showing in pg_stat_* info tables. I'd love to have the Kerberos principal available, but I don't think it'd make sense to have a 'pg_stat_kerberos' just for that. I agree that it's moving the goalposts for this patch and could be an independent patch, but I don't see it as any different, from a desirability and requirements perspective, than what we're doing for SSL connections. Thanks! Stephen
В списке pgsql-hackers по дате отправления: