On Fri, May 29, 2020 at 3:05 PM Chapman Flack <chap@anastigmatix.net> wrote:
> A possible step in the direction of good-enough would be to have
> 'sensitive' flags only in the parameter-bind message of the extended
> protocol.
Interesting idea. Changing the wire protocol for this sort of thing
makes it a much bigger lift, but it might help, at least in some
cases. It does however require that the user being using prepared
queries, and that the user know which data is sensitive. For instance,
if a user is sitting there in a psql shell and the requirement is that
if they happen to type ALTER USER .. PASSWORD the new password doesn't
get logged, this approach fails both because the user doesn't do
anything to identify the query as special, and also because it's not
prepared. So in a certain sense you could say that with this design
the server just passes the buck: it's too hard for us to figure out
which things to log, so we're making it your job to tell us....
Another point to consider is that I think we already have the ability
to suppress logging of bind parameters. So, people who want this sort
of thing and are able to use bind parameters can just not log them and
then all is well.That does have the deficiency that we then log NO
bind parameters, and somebody might want to log them in some
situations but not others, but perhaps there is a simpler way of
accomplishing that than what you've outlined here? I don't know. I'm
just throwing out ideas...
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company