On Tue, Jan 20, 2015 at 1:05 AM, Abhijit Menon-Sen <ams@2ndquadrant.com> wrote:
> So when I'm trying to decide what to audit, I have to:
>
> (a) check if the current user is mentioned in .roles; if so, audit.
>
> (b) check if the current user is a descendant of one of the roles
> mentioned in .roles; if not, no audit.
>
> (c) check for permissions granted to the "root" role and see if that
> tells us to audit.
>
> Is that right? If so, it would work fine. I don't look forward to trying
> to explain it to people, but yes, it would work (for anything you could
> grant permissions for).
I think this points to fundamental weakness in the idea of doing this
through the GRANT system. Some people are going want to audit
everything a particular user does, some people are going to want to
audit all access to particular objects, and some people will have more
complicated requirements. Some people will want to audit even
super-users, others especially super-users, others only non
super-users. None of this necessarily matches up to the usual
permissions framework.
>> Have you considered splitting pgaudit.c into multiple files, perhaps
>> along the pre/post deparse lines?
>
> If such a split were done properly, then could the backwards-compatible
> version be more acceptable for inclusion in contrib in 9.5? If so, I'll
> look into it.
We're not going to include code in contrib that has leftovers in it
for compatibility with earlier source trees. That's been discussed on
this mailing list many times and the policy is clear.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company