Re: restrict pg_stat_ssl to superuser?

On 2019-02-21 09:11, Michael Paquier wrote: > On Wed, Feb 20, 2019 at 11:51:08AM +0100, Peter Eisentraut wrote: >> So here is a patch doing it the "normal" way of nulling out all the rows >> the user shouldn't see. > > That looks fine to me. Committed, thanks. >> I haven't found any

Re: restrict pg_stat_ssl to superuser?

On Wed, Feb 20, 2019 at 11:51:08AM +0100, Peter Eisentraut wrote: > So here is a patch doing it the "normal" way of nulling out all the rows > the user shouldn't see. That looks fine to me. > I haven't found any documentation of these access restrictions in the > context of pg_stat_activity. Is

Re: restrict pg_stat_ssl to superuser?

On 2019-02-19 16:57, Peter Eisentraut wrote: > On 2019-02-18 04:58, Michael Paquier wrote: >> On Fri, Feb 15, 2019 at 02:04:59PM +0100, Peter Eisentraut wrote: >>> We could remove default privileges from pg_stat_get_activity(). Would >>> that be a problem? >> >> I don't think so, still I am

Re: restrict pg_stat_ssl to superuser?

On Thu, Feb 7, 2019 at 3:30 AM Peter Eisentraut wrote: > As discussed in [0], should we restrict access to pg_stat_ssl to > superusers (and an appropriate pg_ role)? > > If so, is there anything in that view that should be made available to > non-superusers? If not, then we could perhaps do this

Re: restrict pg_stat_ssl to superuser?

On 2019-02-18 04:58, Michael Paquier wrote: > On Fri, Feb 15, 2019 at 02:04:59PM +0100, Peter Eisentraut wrote: >> We could remove default privileges from pg_stat_get_activity(). Would >> that be a problem? > > I don't think so, still I am wondering about the impact that this > could have for

Re: restrict pg_stat_ssl to superuser?

On Fri, Feb 15, 2019 at 02:04:59PM +0100, Peter Eisentraut wrote: > We could remove default privileges from pg_stat_get_activity(). Would > that be a problem? I don't think so, still I am wondering about the impact that this could have for monitoring tools calling it directly as we document it..

Re: restrict pg_stat_ssl to superuser?

On 2019-02-12 07:40, Michael Paquier wrote: > On Thu, Feb 07, 2019 at 09:30:38AM +0100, Peter Eisentraut wrote: >> If so, is there anything in that view that should be made available to >> non-superusers? If not, then we could perhaps do this via a simple >> permission change instead of going the

Re: restrict pg_stat_ssl to superuser?

On Thu, Feb 07, 2019 at 09:30:38AM +0100, Peter Eisentraut wrote: > If so, is there anything in that view that should be made available to > non-superusers? If not, then we could perhaps do this via a simple > permission change instead of going the route of blanking out individual > columns. Hm.