Re: proposal: hide application_name from other users - Mailing list pgsql-hackers

From Greg Stark
Subject Re: proposal: hide application_name from other users
Date
Msg-id CAM-w4HOZeMBtJohjM4oay--CGTW7q9us9jkerkefD__kgZ=V5g@mail.gmail.com
Whole thread Raw
In response to Re: proposal: hide application_name from other users  (Josh Berkus <josh@agliodbs.com>)
Responses Re: proposal: hide application_name from other users
List pgsql-hackers
On Tue, Jan 28, 2014 at 11:56 AM, Josh Berkus <josh@agliodbs.com> wrote:
> Really the only way we're going to solve this is to make column
> permissions on special system views fully configurable.
>
> For example, I would really like to GRANT an unpriv user access to the
> WAL columns in pg_stat_replication so that I can monitor replication
> delay without granting superuser permissions.

So you can do this now by defining a security definer function that
extracts precisely the information you need and grant execute access
to precisely the users you want. There was some concern upthread about
defining security definer functions being tricky but I'm not sure what
conclusion to draw from that argument.

Even if we had column level privileges this would still be necessary
in many cases and might be preferable to keep things consistent. For
example, you might not want the monitor account to have access to
sql_query but be able to check for backends running specific queries
(perhaps vacuum or ddl or a known problematic query).


-- 
greg



pgsql-hackers by date:

Previous
From: Jeff Janes
Date:
Subject: Re: Fwd: Request for error explaination || Adding a new integer in indextupleData Structure
Next
From: Tom Lane
Date:
Subject: Re: proposal: hide application_name from other users