Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Jim Nasby
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 54C2AAF6.4060508@BlueTreble.com
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Stephen Frost <sfrost@snowman.net>)
Responses Re: pgaudit - an auditing extension for PostgreSQL
List pgsql-hackers
On 1/23/15 12:16 PM, Stephen Frost wrote:
> Just to clarify- this concept isn't actually mine but was suggested by a
> pretty sizable PG user who has a great deal of familiarity with other
> databases.  I don't mean to try and invoke the 'silent majority' but
> rather to make sure folks don't think this is my idea alone or that it's
> only me who thinks it makes sense.:)   Simon had weighed in earlier
> with, iirc, a comment that he thought it was a good approach also,
> though that was a while ago and things have changed.

I know there's definitely demand for auditing. I'd love to see us support it.

> I happen to like the idea specifically because it would allow regular
> roles to change the auditing settings (no need to be a superuser or to
> be able to modify postgresql.conf/postgresql.auto.conf)

Is there really a use case for non-superusers to be able to change auditing config? That seems like a bad idea.

Also, was there a solution to how to configure auditing on specific objects with a role-based mechanism? I think we
reallydo need something akin to role:action:object tuples, and I don't see how to do that with roles alone.
 

BTW, I'm starting to feel like this needs a wiki page to get the design pulled together.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com



pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Perl coding error in msvc build system?
Next
From: Stephen Frost
Date:
Subject: Re: pgaudit - an auditing extension for PostgreSQL