6.6. Security Setup #

6.6.1. Setting up an Operating System User #

pgpro-otel-collector can be run by an unprivileged user. In some cases, however, read access to the log directory and log files may be required on the operating system side for collecting logs from the DBMS instance.

6.6.1.1. Setting up Read Access to DBMS Logs #

To read the logs, it is sufficient to use the group under which the DBMS instance is running. To do this, the group needs to be granted read access to log files, and then the user under which the collector is running should be added to the same group. Typically, this is the postgres group.

  1. Grant read permissions to the group (the directory path may vary):

    sudo chmod g+rx /var/log/postgresql/
    sudo chmod g+r /var/log/postgresql/*
    
  2. Add the user otelcol to the group postgres:

    sudo usermod --groups=postgres otelcol
    

    Now the collector should be able to read the existing log files.

Additionally, it is necessary to adjust the database instance configuration so that new log files are created with the required access permissions. This is achieved by modifying the log_file_mode parameter and reloading the configuration. The parameter can be updated either directly in the configuration file, via ALTER SYSTEM, or through automation tools and IaC (Infrastructure as Code) solutions.

In the example below, the change is made by connecting to the DBMS instance and using ALTER SYSTEM:

psql -U postgres -c 'ALTER SYSTEM SET log_file_mode TO "0640"'
psql -U postgres -c 'SELECT pg_reload_conf()'

6.6.2. Setting up a DBMS Instance User #

The database user setup consists of the following steps:

  • Creating and configuring the privileges of the database user under which the collector connects to the database instance.

  • Setting up HBA authorization rules that will allow the collector to connect to the database instance.

  • Configuring additional privileges for function execution; this step is optional and is only required if you actually want to enable the collection of the corresponding data.

6.6.2.1. Creating and Setting up a User #

Set a password when creating a user:

sudo -u postgres createuser --pwprompt otelcol

To set up permissions, connect to the database instance and run the following commands:

GRANT pg_monitor TO otelcol;

6.6.2.2. Setting up the HBA Rules #

When using plugins that require connections to other databases (such as collecting tables, indexes, or bloat), the HBA (Host-Based Authentication) rules must be aligned with the collector rules:

  • The databases listed in the plugin configuration must be allowed in the HBA configuration.

  • If the collector is configured to collect data from all databases, then HBA rules should allow connection to all of them.

PostgreSQL DBMS supports a wide variety of authentication methods. When setting up HBA rules, focus on the method that is used in your case.

The example below shows how to set up access to the database postgres using the scram-sha-256 method.

vi pg_hba.conf

local  postgres  otelcol                 scram-sha-256
host   postgres  otelcol  127.0.0.1/32   scram-sha-256

In this example, the connection capability is limited to only the postgres database; if the collector is configured to collect data from other databases, the corresponding allowing rules must be added to the HBA configuration.

Restart the database instance configuration for the changes to take effect:

sudo -u postgres psql -c 'SELECT pg_reload_conf()'

6.6.2.3. Setting up Additional Privileges #

Different types of collected data require access to various internal functions. Access to these functions is restricted for general users, as they can reveal confidential information. Therefore, granting access should be coordinated with the company's security policies.

6.6.2.4. Collecting Data from Orphaned Files #

To collect data from orphaned files, the database user must have permission to execute the pg_ls_dir and pg_stat_file functions for all target databases:

GRANT EXECUTE ON FUNCTION pg_ls_dir(text) TO otelcol ;
GRANT EXECUTE ON FUNCTION pg_stat_file(text) TO otelcol ;

6.6.3. Setting up the Collector #

6.6.3.1. Connecting to a DBMS Instance #

The connection parameters to the database instance are managed in the postgrespro receiver configuration of the collector configuration file. The user credentials should be specified in the endpoint, database, username, and password parameters (it is possible to pass the password through an environment variable):

receivers:
postgrespro:
  transport: tcp
  endpoint: localhost:5432
  database: postgres
  username: otelcol
  password: ${env:POSTGRESQL_PASSWORD}

6.6.4. Configuring TLS #

You can set up TLS (Transport Layer Security) when using exporters. Each exporter can be configured separately, while the configuration format remains the same for all. Read here for more details.

An example of the otlphttp exporter configuration:

exporters:
  otlphttp:
    endpoint: "https://ppem.example.org"
    tls:
      insecure: false
      ca_file: server.crt
      cert_file: client.crt
      key_file: client.key
      min_version: "1.1"
      max_version: "1.2"