Thread: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
From
sirisha chamarthi
Date:
Hi Hackers,
At present, calling pg_stat_reset* functions requires super user access unless explicitly grant execute permission on those. In this thread, I am proposing to grant execute on them to users with pg_monitor role permissions. This comes handy to the monitoring users (part of pg_monitor role) to capture the stats fresh and analyze. Do you see any concerns with this approach?
Thanks,
Sirisha
Re: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
From
Andres Freund
Date:
Hi, On 2022-11-21 00:16:20 -0800, sirisha chamarthi wrote: > At present, calling pg_stat_reset* functions requires super user access > unless explicitly grant execute permission on those. In this thread, I am > proposing to grant execute on them to users with pg_monitor role > permissions. This comes handy to the monitoring users (part of pg_monitor > role) to capture the stats fresh and analyze. Do you see any concerns with > this approach? I think the common assumption is that a monitoring role cannot modify the system, but this would change that. Normally a monitoring tool should be able to figure out what changed in stats by comparing values across time, rather than resetting stats. Greetings, Andres Freund
Re: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
From
Robert Haas
Date:
On Mon, Nov 21, 2022 at 3:45 PM Andres Freund <andres@anarazel.de> wrote: > On 2022-11-21 00:16:20 -0800, sirisha chamarthi wrote: > > At present, calling pg_stat_reset* functions requires super user access > > unless explicitly grant execute permission on those. In this thread, I am > > proposing to grant execute on them to users with pg_monitor role > > permissions. This comes handy to the monitoring users (part of pg_monitor > > role) to capture the stats fresh and analyze. Do you see any concerns with > > this approach? > > I think the common assumption is that a monitoring role cannot modify > the system, but this would change that. Normally a monitoring tool > should be able to figure out what changed in stats by comparing values > across time, rather than resetting stats. +1. -- Robert Haas EDB: http://www.enterprisedb.com
Re: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
From
Julien Rouhaud
Date:
On Mon, Nov 21, 2022 at 03:47:38PM -0500, Robert Haas wrote: > On Mon, Nov 21, 2022 at 3:45 PM Andres Freund <andres@anarazel.de> wrote: > > On 2022-11-21 00:16:20 -0800, sirisha chamarthi wrote: > > > At present, calling pg_stat_reset* functions requires super user access > > > unless explicitly grant execute permission on those. In this thread, I am > > > proposing to grant execute on them to users with pg_monitor role > > > permissions. This comes handy to the monitoring users (part of pg_monitor > > > role) to capture the stats fresh and analyze. Do you see any concerns with > > > this approach? > > > > I think the common assumption is that a monitoring role cannot modify > > the system, but this would change that. Normally a monitoring tool > > should be able to figure out what changed in stats by comparing values > > across time, rather than resetting stats. > > +1. This can have negative impact for autovacuum, so +1 too.
Re: Proposal: Allow user with pg_monitor role to call pg_stat_reset* functions
From
Bharath Rupireddy
Date:
On Tue, Nov 22, 2022 at 2:15 AM Andres Freund <andres@anarazel.de> wrote:
>
> Hi,
>
> On 2022-11-21 00:16:20 -0800, sirisha chamarthi wrote:
> > At present, calling pg_stat_reset* functions requires super user access
> > unless explicitly grant execute permission on those. In this thread, I am
> > proposing to grant execute on them to users with pg_monitor role
> > permissions. This comes handy to the monitoring users (part of pg_monitor
> > role) to capture the stats fresh and analyze. Do you see any concerns with
> > this approach?
>
> I think the common assumption is that a monitoring role cannot modify
> the system, but this would change that. Normally a monitoring tool
> should be able to figure out what changed in stats by comparing values
> across time, rather than resetting stats.
+1.
A bit more info: AFAICS, there's no explicit if (!superuser()) {
error;} checks in any of pg_stat_reset* functions, which means, one
can still grant execute permissions on them to anyone (any predefined
roles, non-superusers or other superusers) via a superuser outside of
postgres, if that's the use case [1] [2]. That's the flexibility
postgres provides for some of the system functions but not all. Most
of the extension functions and some core functions pg_nextoid,
pg_stop_making_pinned_objects, pg_rotate_logfile,
pg_import_system_collations, pg_cancel_backend, pg_terminate_backend,
pg_read_file still have such explicit if (!superuser()) { error;}
checks. I'm not sure if it's the right time to remove such explicit
checks and move to explicit GRANT-REVOKE system.
FWIW, here's a recent commit f0b051e322d530a340e62f2ae16d99acdbcb3d05.
[1]
--
-- The default permissions for functions mean that anyone can execute them.
-- A number of functions shouldn't be executable by just anyone, but rather
-- than use explicit 'superuser()' checks in those functions, we use the GRANT
-- system to REVOKE access to those functions at initdb time. Administrators
-- can later change who can access these functions, or leave them as only
-- available to superuser / cluster owner, if they choose.
--
[2]
postgres=# create role foo with nosuperuser;
CREATE ROLE
postgres=# set role foo;
SET
postgres=> select pg_stat_reset();
ERROR: permission denied for function pg_stat_reset
postgres=> reset role;
RESET
postgres=# grant execute on function pg_stat_reset() to foo;
GRANT
postgres=# set role foo;
SET
postgres=> select pg_stat_reset();
pg_stat_reset
---------------
(1 row)
--
Bharath Rupireddy
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com