| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: More detailed auth info |
| Date: | 2011-01-21 15:14:56 |
| Message-ID: | AANLkTimTNWsrWtu9MEVHdM0XJt7viWMRv1jA3ow5gm9+@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> I came across a case this week where I wanted to be able to determine
>> more detailed auth information on already logged in sessions - not
>> from the client, but from the server. In this specific case, I wanted
>> to examine the "is ssl" flag on the connection. But I can see other
>> things being interesting, such as which user is on the other end (when
>> pg_ident is in use), more detailed SSL information, full kerberos
>> principal when kerberos in use etc.
>
>> I doubt this is common enough to want to stick it in pg_stat_activity
>> though, but what do people think? And if not there, as a separate view
>> or just as a function to call (e.g.
>> pg_get_detailed_authinfo(<backendpid>))
>
> By and large, it's been thought to be a possible security hole to expose
> such information, except possibly in the postmaster log. I'm certainly
> *not* in favor of creating a view for it.
Well, it would obviously be superuser only.
Would you object to a function as well?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2011-01-21 15:17:20 | Re: review: FDW API |
| Previous Message | Anssi Kääriäinen | 2011-01-21 15:08:00 | Re: SSI and Hot Standby |