* Abhijit Menon-Sen (a...@2ndquadrant.com) wrote: > At 2015-01-20 21:47:02 -0500, sfr...@snowman.net wrote: > > Review the opening of this email though and consider that we could > > look at "what privileges has the audit role granted to the current > > role?" as defining what is to be audited. > > Right, I understand now how that would work. I'll try to find time to > (a) implement this, (b) remove the backwards-compatibility code, and > (c) split up the USE_DEPARSE_FUNCTIONS stuff.
Great! Thanks!
> > > For example, what if I want to see all the tables created and
> > > dropped by a particular user?
> >
> > I hadn't been intending to address that with this scheme, but I think
> > we have that by looking for privilege grants where the audit role is
> > the grantee and the role-to-be-audited the grantor.
>
> For CREATE, yes, with a bit of extra ACL-checking code in the utility
> hook; but I don't think we'll get very far without the ability to log
> ALTER/DROP too. :-) So there has to be some alternative mechanism for
> that, and I'm hoping Robert (or anyone!) has something in mind.
ALTER/DROP can be logged based on the USAGE privilege for the schema.
We can't differentiate those cases but we can at least handle them as a
group.
Thanks!
Stephen
signature.asc
Description: Digital signature
