Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: Proposal: Save user's original authenticated identity for logging
Date
Msg-id c6474caf44f21188651a21f23045128816731e30.camel@vmware.com
Whole thread Raw
In response to Re: Proposal: Save user's original authenticated identity for logging  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Fri, 2021-01-29 at 18:40 -0500, Tom Lane wrote:
> Ah.  So basically, this comes into play when you consider that some
> outside-the-database entity is your "real" authenticated identity.
> That seems reasonable when using Kerberos or the like, though it's
> not real meaningful for traditional password-type authentication.

Right.

> So, if we store this "real" identity, is there any security issue
> involved in exposing it to other users (via pg_stat_activity or
> whatever)?

I think that could be a concern for some, yeah. Besides being able to
get information on other logged-in users, the ability to connect an
authenticated identity to a username also gives you some insight into
the pg_hba configuration.

--Jacob

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Should we make Bitmapsets a kind of Node?
Next
From: Bharath Rupireddy
Date:
Subject: Re: [PATCH] postgres_fdw connection caching - cause remote sessions linger till the local session exit