On Mon, May 23, 2022 at 08:53:24AM +0900, Michael Paquier wrote:
> On Sun, May 22, 2022 at 01:26:08PM -0700, Nathan Bossart wrote:
>> ... superusers, roles with privileges of the pg_read_all_stats role,
>> and roles with privileges of the user owning the session being reported
>> on (including the session owner).
>
> Yeah, that sounds better to me. monitoring.sgml has a different way
> of wording what looks like the same thing for pg_stat_xact_*_tables:
> "Ordinary users can only see all the information about their own
> sessions (sessions belonging to a role that they are a member of)".
>
> So you could say instead something like: this information is only
> visible to superusers, roles with privileges of the pg_read_all_stats
> role, and the user owning the sessionS being reported on (including
> sessions belonging to a role that they are a member of).
I think we need to be careful about saying "member of" when we really mean
"roles with privileges of." Unless I am mistaken, role membership alone is
not sufficient for viewing this information. You also need to inherit the
role's privileges via INHERIT.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com