On 6/24/22 11:49 AM, Drouvot, Bertrand wrote:
> Hi,
>
> On 6/23/22 10:06 AM, Drouvot, Bertrand wrote:
>> Hi,
>>
>> On 6/22/22 5:35 PM, Jacob Champion wrote:
>>> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail@joeconway.com> wrote:
>>>> On the contrary, I would argue that not having the identifier for the
>>>> external "user" available is a security concern. Ideally you want
>>>> to be
>>>> able to trace actions inside Postgres to the actual user that
>>>> invoked them.
>>> If auditing is also the use case for SYSTEM_USER, you'll probably want
>>> to review the arguments for making it available to parallel workers
>>> that were made in the other thread [1].
>>
>> Thanks Jacob for your feedback.
>>
>> I did some testing initially around the parallel workers and did not
>> see any issues at that time.
>>
>> I just had another look and I agree that the parallel workers case
>> needs to be addressed.
>>
>> I'll have a closer look to what you have done in [1].
>>
>> Thanks
>>
>> Bertrand
>>
> Please find attached patch version 2.
>
> It does contain:
>
> - Tom's idea implementation (aka presenting the system_user as
> auth_method:authn_id)
>
> - A fix for the parallel workers issue mentioned by Jacob. The patch
> now propagates the SYSTEM_USER to the parallel workers.
>
> - Doc updates
>
> - Tap tests (some of them are coming from [1])
>
> Looking forward to your feedback,
>
> Thanks
>
> Bertrand
FWIW here is a link to the commitfest entry:
https://commitfest.postgresql.org/38/3703/
Bertrand
