Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Simon Riggs
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id CA+U5nMKKzMDDRxwD1ZLnYW543wAPWPqMEQ8Vf431Jb26HOELcQ@mail.gmail.com
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Abhijit Menon-Sen <ams@2ndQuadrant.com>)
List pgsql-hackers
On 25 December 2014 at 10:42, Abhijit Menon-Sen <ams@2ndquadrant.com> wrote:

> Stephen likes the idea, obviously; Simon also said he liked it, but I
> now wonder if he may have liked the part I implemented (which allows a
> hot standby to have a different auditing configuration than the primary)
> but not fully realised the remainder of the proposal.

I am happy with the proposal, I just thought you'd already done it.

> Before I go much further, how do others feel about it?
>
> To summarise for people who haven't followed the thread in detail, the
> idea is that you would do:
>
>     grant select on foo to audit;

GRANT is understood and supported by many people and tools. The idea
makes auditing immediately accessible for wide usage.

> …and the server would audit-log any "select … from foo …" queries (by
> any user). One immediate consequence is that only things you could grant
> permissions for could be audited (by this mechanism), but I guess that's
> a problem only in the short term. Another consequence is that you can't
> audit selects on foo only by role x and selects on bar only by role y.
>
>> Also, what makes the "audit" role magical?
>
> I think it's because it exists only to receive these "negative" grants,
> there's no other magic involved. Stephen also said «Note that this role,
> from core PG's perspective, wouldn't be special at all».

I don't see them as "negative grants". You are simply specifying the
privilege and object you want logged.

Abhijit is right to point out that we can't specify all combinations
of actions, but solving that is considerably more complex. At the
moment we don't have strong evidence that we should wait for such
additional complexity. We can improve things in next release if it is
truly needed.

-- Simon Riggs                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services



pgsql-hackers by date:

Previous
From: Noah Misch
Date:
Subject: Re: CATUPDATE confusion?
Next
From: Abhijit Menon-Sen
Date:
Subject: Re: pgaudit - an auditing extension for PostgreSQL