Re: pgaudit - an auditing extension for PostgreSQL

On 1/23/15 12:16 PM, Stephen Frost wrote:
> Just to clarify- this concept isn't actually mine but was suggested by a
> pretty sizable PG user who has a great deal of familiarity with other
> databases.  I don't mean to try and invoke the 'silent majority' but
> rather to make sure folks don't think this is my idea alone or that it's
> only me who thinks it makes sense.:)   Simon had weighed in earlier
> with, iirc, a comment that he thought it was a good approach also,
> though that was a while ago and things have changed.

I know there's definitely demand for auditing. I'd love to see us support it.

> I happen to like the idea specifically because it would allow regular
> roles to change the auditing settings (no need to be a superuser or to
> be able to modify postgresql.conf/postgresql.auto.conf)

Is there really a use case for non-superusers to be able to change auditing config? That seems like a bad idea.

Also, was there a solution to how to configure auditing on specific objects with a role-based mechanism? I think we
reallydo need something akin to role:action:object tuples, and I don't see how to do that with roles alone.
 

BTW, I'm starting to feel like this needs a wiki page to get the design pulled together.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com