On 05/10/2017 03:56 AM, Craig Ringer wrote:
> On 10 May 2017 10:44 am, "Chapman Flack" <c...@anastigmatix.net> wrote:
>> On 05/09/17 18:48, Mark Dilger wrote:
>>> SET SESSION ON BEHALF OF 'joe user'
> No need to do anything they custom and specific. No need for new syntax
> SET myapp.appuser = 'joe'
We seem to be agreed here ... I was claiming that Mark's new syntax
and simply setting a custom variable are different ways of "spelling"
the same idea, but the custom variable approach is less invasive and
can probably be done all within an extension.
>> The other bit of my proposal was to prevent Mallory from spoofing
>> his appident info by managing to inject some SQL through your app
> If your attacker gets that far you're kind of screwed anyway.
Sure, but part of defense-in-depth still applies then, either to
collect more info on who's screwing you or to throw tables and chairs
to make them climb over.
> But that's where something like 'secure variables' or package variables
> come in. See the mailing list discussion on that topic a couple of months
My hasty search for a mailing list discussion didn't find one (got
a link?), but I did find a wiki page; is that what you have in mind?
>> That's where it might be handy to have a
>> way to associate the info with the current thread or current request
>> in a way that doesn't need any support in third party layers in the middle,
>> but can be retrieved by the driver (or a thin wrapper around it, down
>> at the bottom of the stack) and turned into the proper SET commands.
> I don't see how postgres can do anything about this. PgJDBC maybe. ...
We're agreed here too; that's why I described it as a separable,
future-work idea. I was just sketching how it might be possible in
the client-side stack to build on whatever basic function (secure
variables or a GUCs-with-cookie extension) postgres could provide.
Any uptake of that idea would have to happen in PgJDBC *and* in
psycopg2 *and* in DBD::Pg *and* in you-name-it for programming
languages/environments x, y, and z. So it's clearly science fiction.
(Actually, a more practical way to do it might be to write thin
wrappers that implement the DB driver API in each language, that
could be used *in place of* PgJDBC or psycopg2 or DBD::Pg and just
delegate everything to the real driver, except the 'connect'
operation would delegate to the real driver but then issue one
query for the cookie, and there'd be some additional non-standard
API for higher layers to call and set values, to be passed along
via SET commands and the cookie ahead of later queries.)
The design for any such thing would want to be idiomatic and
sensitive to the typical usages in each language or software
stack, so I don't remotely propose to do or even design any
for now. Just wanted to put rough ideas into the collective
consciousness to soak for a while.
> The main part I would like is a generic mech[an]ism to inject the value of a
> GUC into the logs.
> For csvlog, it'd be a list of GUC names, each a to be emitted as a
> separate field if set, or empty field if unset.
> For normal log, it'd be available in log_line_prefix as something like
> %(myapp.user)g ....
> I can see this being plenty useful for all sorts of work, and nicely
Thank you for bringing that back in, since logging was my motive when
I started this thread, and then my last message was all about other
Yes, I think I'd like to see logging extended in exactly those ways
(modulo whatever exact spelling ends up preferred for %(gucname)g).
Looked at that way, that's a logging extension of general utility
so it's also separable from the 'variables to store on-behalf-of
identities' extension proposed here.
... with the caveat that if the variables-to-store-identities idea
were to end up going a different direction than an-extension-with-GUCs
(secure variables or whatever), then I'd want the logging extension
to also provide an escape syntax for logging whatever those are.
Sent via pgsql-hackers mailing list (email@example.com)
To make changes to your subscription: