Re: pgaudit - an auditing extension for PostgreSQL

On Tue, Dec 16, 2014 at 1:28 PM, Stephen Frost <sfrost@snowman.net> wrote:
> The magic "audit" role has SELECT rights on a given table.  When any
> user does a SELECT against that table, ExecCheckRTPerms is called and
> there's a hook there which the module can use to say "ok, does the audit
> role have any permissions here?" and, if the result is yes, then the
> command is audited.  Note that this role, from core PG's perspective,
> wouldn't be special at all; it would just be that pgaudit would use the
> role's permissions as a way to figure out if a given command should be
> audited or not.

This is a little weird because you're effectively granting an
anti-permission.  I'm not sure whether that ought to be regarded as a
serious problem, but it's a little surprising.

Also, what makes the "audit" role magical?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company