On 25 December 2014 at 10:42, Abhijit Menon-Sen <ams@2ndquadrant.com> wrote:
> Stephen likes the idea, obviously; Simon also said he liked it, but I
> now wonder if he may have liked the part I implemented (which allows a
> hot standby to have a different auditing configuration than the primary)
> but not fully realised the remainder of the proposal.
I am happy with the proposal, I just thought you'd already done it.
> Before I go much further, how do others feel about it?
>
> To summarise for people who haven't followed the thread in detail, the
> idea is that you would do:
>
> grant select on foo to audit;
GRANT is understood and supported by many people and tools. The idea
makes auditing immediately accessible for wide usage.
> …and the server would audit-log any "select … from foo …" queries (by
> any user). One immediate consequence is that only things you could grant
> permissions for could be audited (by this mechanism), but I guess that's
> a problem only in the short term. Another consequence is that you can't
> audit selects on foo only by role x and selects on bar only by role y.
>
>> Also, what makes the "audit" role magical?
>
> I think it's because it exists only to receive these "negative" grants,
> there's no other magic involved. Stephen also said «Note that this role,
> from core PG's perspective, wouldn't be special at all».
I don't see them as "negative grants". You are simply specifying the
privilege and object you want logged.
Abhijit is right to point out that we can't specify all combinations
of actions, but solving that is considerably more complex. At the
moment we don't have strong evidence that we should wait for such
additional complexity. We can improve things in next release if it is
truly needed.
-- Simon Riggs http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services