Home > mailing lists

Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Proposal: Save user's original authenticated identity for logging
Date	January 30, 2021 03:10:59
Msg-id	c6474caf44f21188651a21f23045128816731e30.camel@vmware.com Whole thread Raw
In response to	Re: Proposal: Save user's original authenticated identity for logging (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On Fri, 2021-01-29 at 18:40 -0500, Tom Lane wrote:
> Ah.  So basically, this comes into play when you consider that some
> outside-the-database entity is your "real" authenticated identity.
> That seems reasonable when using Kerberos or the like, though it's
> not real meaningful for traditional password-type authentication.

Right.

> So, if we store this "real" identity, is there any security issue
> involved in exposing it to other users (via pg_stat_activity or
> whatever)?

I think that could be a concern for some, yeah. Besides being able to
get information on other logged-in users, the ability to connect an
authenticated identity to a username also gives you some insight into
the pg_hba configuration.

--Jacob

pgsql-hackers by date:

From: Tom Lane
Date: 30 January 2021, 03:01:02
Subject: Re: Should we make Bitmapsets a kind of Node?

From: Bharath Rupireddy
Date: 30 January 2021, 03:28:19
Subject: Re: [PATCH] postgres_fdw connection caching - cause remote sessions linger till the local session exit

Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

Previous

Next