Re: redacting password in SQL statement in server log - Mailing list pgsql-hackers

From Zhihong Yu
Subject Re: redacting password in SQL statement in server log
Date
Msg-id CALNJ-vRQB81F9Q9V+oDPsCTF-+0o_xR3=7_GAZfyg2sEaEfQJA@mail.gmail.com
Whole thread Raw
In response to Re: redacting password in SQL statement in server log  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: redacting password in SQL statement in server log
List pgsql-hackers


On Sat, Jul 23, 2022 at 5:27 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Zhihong Yu <zyu@yugabyte.com> writes:
> Currently, in situation such as duplicate role creation, the server log
> would show something such as the following:

> 2022-07-22 13:48:18.251 UTC [330] STATEMENT:  CREATE ROLE test WITH LOGIN
> PASSWORD 'foobar';

> The password itself should be redacted before logging the statement.

This has been proposed multiple times, and rejected multiple times,
primarily because it offers only false security: you'll never cover
all the cases.  (The proposed patch manages to create a bunch of
false positives to go along with its false negatives, too.)

The only safe answer is to be sure to keep the server log contents
secure.  Please see prior discussions in the archives.

                        regards, tom lane
Hi,
I am thinking of adding `if not exists` to `CREATE ROLE` statement:

CREATE ROLE trustworthy if not exists;

In my previous example, if the user can issue the above command, there would be no SQL statement logged.

Do you think it is worth adding `if not exists` clause ?

Thanks

pgsql-hackers by date:

Previous
From: Julien Rouhaud
Date:
Subject: Re: Schema variables - new implementation for Postgres 15
Next
From: Julien Rouhaud
Date:
Subject: Re: redacting password in SQL statement in server log