José,
* José Arthur Benetasso Villanova (jose.arthur@gmail.com) wrote:
> Here in my work, we have about 100 PostgreSQL machines and about 20 users
> with superuser privileges.
Sounds pretty common. What kind of superuser rights are they using?
What is the minimum set of rights that are required for these users
(which may break out into different groups, naturally). We're looking
at ways to provide access for certain operations to non-superusers, to
reduce the number of superuser accounts required.
> This group of 20 people change constantly, so it's cumbersome create a role
> for each. Instead, we map all of then in pg_ident.conf.
Do these 20 individuals have 'regular' accounts also? Have you
considered granting them a superuser role which they could 'set role'
to when they need to perform a superuser operation?
> The problem is: with current postgres log, I just know that a postgres user
> connect, but I don't know which one is in case that more than one user is
> logged in the server.
Understood, that's unfortunate.
> This simple log line can create the relations needed for an audit.
>
> Feel free to comment and criticize.
What I think we really want here is logging of the general 'system
user' for all auth methods instead of only for the 'peer' method.
Knowing who connected via Kerberos is quite valuable also, for example.
My thinking would be to add 'system_user' to the Peer struct and then
log the system user in PerformAuthentication. Another thought might be
to replace peer_cn with 'peer_user' (it's the same thing for client cert
SSL connections, after all..) and then log it and also make it available
in pg_stat_activity.
These are a bit off-the-cuff comments, but hopefully make sense and
provide the right direction to be looking in. The other thing to
consider is how this information is reflected in the CSV log and/or
log_line_prefix..
Thanks!
Stephen