Hi.
I could actually use some comments on the approach. I've attached
a prototype I've been working on (which is a cut down version of
my earlier code; but it's not terribly interesting and you don't
need to read it to comment on my questions below). The attached
patch does the following:
1. Adds a pgaudit.roles = 'role1, role2' GUC setting.
2. Adds a role_is_audited() function that returns true if the given
role OID is mentioned in (or inherits from a role mentioned in)
pgaudit.roles.
3. Adds a call to role_is_audited from log_audit_event with the current
user id (GetSessionUserId in the patch, though it may be better to
use GetUserId; but that's a minor detail).
Earlier, I was using a combination of check and assign hooks to convert
names to OIDs, but (as Andres pointed out) that would have problems with
cache invalidations. I was even playing with caching membership lookups,
but I ripped out all that code.
In the attached patch, role_is_audited does all the hard work to split
up the list of roles, look up the corresponding OIDs, and check if the
user is a member of any of those roles. It works fine, but it doesn't
seem desirable to repeat all that work for every statement.
So does anyone have suggestions about how to make this faster?
-- Abhijit