Re: Information of pg_stat_ssl visible to all users

On Tue, Sep 1, 2015 at 4:23 AM, Peter Eisentraut <peter_e@gmx.net> wrote:
> On 8/31/15 9:13 AM, Andres Freund wrote:
>> I'm just saying that we should strive to behave at least somewhat
>> consistently, and change everything at once, not piecemal. Because the
>> latter will not decrease the pain of migrating to a new model in a
>> relevant way while making the system harder to understand.
>
> Well, we already hide a fair chunk of information from pg_stat_activity
> from unprivileged users, including everything related to the connection
> origin of other users.  So from that precedent, the entire SSL
> information ought to be considered privileged.

That being said we may want as well to bite the bullet and to hide
more information in pg_stat_activity, like datname, usename and
application_name, or simply hide completely those tuples for
non-privileged users.
-- 
Michael