On Fri, May 20, 2022 at 03:17:29PM +0900, Ian Lawrence Barwick wrote:
> It seems reasonable to mention here that the information is also visible to
> members of "pg_read_all_stats", similar to what is done in the
> pg_stat_statements
> docs [2].
>
> [2] https://www.postgresql.org/docs/current/pgstatstatements.html#PGSTATSTATEMENTS-COLUMNS
>
> Suggested wording:
>
>> Note that even when enabled, this information is only visible to superusers,
>> members of the <literal>pg_read_all_stats</literal> role and the user owning
>> the session being reported on, so it should not represent a security risk.
>
> Patch (for HEAD) with suggested wording attached; the change should
> IMO be applied
> all the way back to v10 (though as-is the patch only applies to HEAD,
> can provide
> others if needed).
LGTM
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com