Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Abhijit Menon-Sen
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 20150127090830.GA28797@toroid.org
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: pgaudit - an auditing extension for PostgreSQL
Re: pgaudit - an auditing extension for PostgreSQL
List pgsql-hackers
At 2015-01-26 17:45:52 -0500, robertmhaas@gmail.com wrote:
>
> > Based on the recent emails, it appears there's been a shift of
> > preference to having it be in-core […]
> 
> Well, I'm not sure that anyone else here agreed with me on that

Sure, an in-core AUDIT command would be great. Stephen has always said
that would be the most preferable solution; and if we had the code to
implement it, I doubt anyone would prefer the contrib module instead.
But we don't have that code now, and we won't have it in time for 9.5.

We had an opportunity to work on pgaudit in its current form, and I like
to think that the result is useful. To me, the question has always been
whether some variant of that code would be acceptable for 9.5's contrib.
If so, I had some time to work on that. If not… well, hard luck. But the
option to implement AUDIT was not available to me, which is why I have
not commented much on it recently.

> The basic dynamic here seems to be you asking for changes and Abhijit
> making them but without any real confidence, and I don't feel good
> about that. 

I understand how I might have given you that impression, but I didn't
mean to, and I don't really feel that way.

I appreciate Stephen's suggestions and, although it took me some time to
understand them fully, I think the use of GRANT to provide finer-grained
auditing configuration has improved pgaudit. I am slightly concerned by
the resulting complexity, but I think that can be addressed by examples
and so on. I wouldn't be unhappy if this code were to go into contrib.

(I should point out that it is also not the case that I do not hold any
opinions and would be happy with anything pgaudit-shaped being included.
For example, I strongly prefer GRANT to the 'alice:*:*' approach.)

Anyway, I think it's reasonably clear now that pgaudit is unlikely to
make it into 9.5 in any form, so I'll find something else to do.

-- Abhijit



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: Safe memory allocation functions
Next
From: Kyotaro HORIGUCHI
Date:
Subject: Re: alter user/role CURRENT_USER