The just-committed patch for tracking function call stats allows anyone
connected to a given database to see all function-call stats that have
been collected within that database. I am wondering whether we need to
clamp down on that at all.
Knowing the runtime of a function is sometimes considered a possible
security risk --- for instance, it might tell you something about the
data operated on by a cryptographic function, or it might tell you
whether a password was good (and allowed the function to proceed with
some operation). So I thought about suggesting that we only allow
people to see the stats for functions that they have the right to
call. If they have that right, they can just call it and measure
the runtime for themselves, so this seems an adequate permission
check.
On the other hand, if you don't have permission to call the function,
then what you are seeing in the stats view is aggregate stats about
calls made by other people, with arguments that you don't know.
The traditional security risks seem pretty weak in that context.
So maybe we don't need to do anything.
Thoughts?
regards, tom lane