> What about a more general solution, such as a flag to turn off logging of ALTER ROLE statements completely?
IMO, flags for a specific type of utility statement seems way too much for pg_stat_statements, and this will also not completely prevent leaking plain text passwords from all ways that CREATE/ALTER ROLE could be run, i.e. DO blocks, inside functions/procs with track=all.
Well sure, but best effort is better than no effort at all. Preventing CREATE/ALTER will catch 99% of items, and as I advocated, there really is no reason for them to be in pg_stat_statements in the first place.
The clients that set passwords could simply turn off track_utility on a user/transaction level while they are performing the action with sensitive data.
Good point, but that relies on the client to do the right thing, and requires two extra steps.
