Hi,
On 6/23/22 10:06 AM, Drouvot, Bertrand wrote:
> Hi,
>
> On 6/22/22 5:35 PM, Jacob Champion wrote:
>> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail@joeconway.com> wrote:
>>> On the contrary, I would argue that not having the identifier for the
>>> external "user" available is a security concern. Ideally you want to be
>>> able to trace actions inside Postgres to the actual user that
>>> invoked them.
>> If auditing is also the use case for SYSTEM_USER, you'll probably want
>> to review the arguments for making it available to parallel workers
>> that were made in the other thread [1].
>
> Thanks Jacob for your feedback.
>
> I did some testing initially around the parallel workers and did not
> see any issues at that time.
>
> I just had another look and I agree that the parallel workers case
> needs to be addressed.
>
> I'll have a closer look to what you have done in [1].
>
> Thanks
>
> Bertrand
>
Please find attached patch version 2.
It does contain:
- Tom's idea implementation (aka presenting the system_user as
auth_method:authn_id)
- A fix for the parallel workers issue mentioned by Jacob. The patch now
propagates the SYSTEM_USER to the parallel workers.
- Doc updates
- Tap tests (some of them are coming from [1])
Looking forward to your feedback,
Thanks
Bertrand
[1]
https://www.postgresql.org/message-id/flat/793d990837ae5c06a558d58d62de9378ab525d83.camel%40vmware.com
