Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Proposal: Save user's original authenticated identity for logging
Date
Msg-id 20210201230146.GY27507@tamriel.snowman.net
Whole thread Raw
In response to Re: Proposal: Save user's original authenticated identity for logging  (Jacob Champion <pchampion@vmware.com>)
Responses Re: Proposal: Save user's original authenticated identity for logging
List pgsql-hackers
Greetings,

* Jacob Champion (pchampion@vmware.com) wrote:
> On Mon, 2021-02-01 at 17:01 -0500, Stephen Frost wrote:
> > * Jacob Champion (pchampion@vmware.com) wrote:
> > > And I'm not holding
> > > my breath for LDAP servers to start implementing federated identity,
> > > though that would be nice.
> >
> > Not sure exactly what you're referring to here but AD already provides
> > Kerberos with cross-domain trusts (aka forests).  The future is here..?
> > :)
>
> If the end user is actually using LDAP-on-top-of-AD, and comfortable
> administering the Kerberos-related pieces of AD so that their *nix
> servers and users can speak it instead, then sure. But I continue to
> hear about customers who don't fit into that mold. :D Enough that I
> have to keep an eye on the "pure" LDAP side of things, at least.

I suppose it's likely that I'll continue to run into people who are
horrified to learn that they've been using pass-the-password auth thanks
to using ldap.

> > > To double-check -- since giving this ability to the pg_read_all_stats
> > > role would expand its scope -- could that be dangerous for anyone?
> >
> > I don't agree that this really expands its scope- in fact, you'll see
> > that the GSSAPI and SSL user authentication information is already
> > allowed under HAS_PGSTAT_PERMISSIONS().
>
> Ah, so they are. :) I think that's the way to go, then.

Ok..  but what's 'go' mean here?  We already have views and such for GSS
and SSL, is the idea to add another view for LDAP and add in columns
that are returned by pg_stat_get_activity() which are then pulled out by
that view?  Or did you have something else in mind?

Thanks,

Stephen

Attachment

pgsql-hackers by date:

Previous
From: David Rowley
Date:
Subject: Re: Should we make Bitmapsets a kind of Node?
Next
From: Jacob Champion
Date:
Subject: Re: Proposal: Save user's original authenticated identity for logging