Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Proposal: Save user's original authenticated identity for logging
Date
Msg-id CABUevEx9OwEjDhq+GTXH8kC398MTTa2eO3Jqk-K4XHVGKKBeNQ@mail.gmail.com
Whole thread Raw
In response to Re: Proposal: Save user's original authenticated identity for logging  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Proposal: Save user's original authenticated identity for logging
List pgsql-hackers
On Sat, Jan 30, 2021 at 12:40 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Jacob Champion <pchampion@vmware.com> writes:
> > On Fri, 2021-01-29 at 17:30 -0500, Tom Lane wrote:
> >> What happens if ALTER USER RENAME is done while the session is still
> >> alive?
>
> > IMO the authenticated identity should be write-once. Especially since
> > one of my goals is to have greater auditability into events as they've
> > actually happened. So ALTER USER RENAME should have no effect.
>
> > This also doesn't really affect third-party auth methods. If I'm bound
> > as pchampion@EXAMPLE.COM and a superuser changes my username to tlane,
> > you _definitely_ don't want to see my authenticated identity change to
> > tlane@EXAMPLE.COM. That's not who I am.
>
> Ah.  So basically, this comes into play when you consider that some
> outside-the-database entity is your "real" authenticated identity.
> That seems reasonable when using Kerberos or the like, though it's
> not real meaningful for traditional password-type authentication.

I think the usecases where it's relevant is a relatively close match
to the usecases where we support user mapping in pg_ident.conf. There
is a small exception in the ldap search+bind since it's a two-step
operation and the interesting part would be in the mid-step, but I'm
not sure there is any other case than those where it adds a lot of
value.


> I'd misunderstood your point before.
>
> So, if we store this "real" identity, is there any security issue
> involved in exposing it to other users (via pg_stat_activity or
> whatever)?

I'd say it might. It might for example reveal where in a hierarchical
authentication setup your "real identity" lives. I think it'd at least
have to be limited to superusers.


> I remain concerned about the cost and inconvenience of exposing
> it via log_line_prefix, but at least that shouldn't be visible
> to anyone who's not entitled to know who's logged in ...

What if we logged it as part of log_connection=on, but only there and
only once? It could still be traced through the rest of that sessions
logging using the fields identifying the session, and we'd only end up
logging it once.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/



pgsql-hackers by date:

Previous
From: James Hilliard
Date:
Subject: Re: [PATCH v3 1/1] Fix detection of preadv/pwritev support for OSX.
Next
From: Magnus Hagander
Date:
Subject: Re: Proposal: Save user's original authenticated identity for logging