Re: pgaudit - an auditing extension for PostgreSQL

Поиск
Список
Период
Сортировка
От Simon Riggs
Тема Re: pgaudit - an auditing extension for PostgreSQL
Дата
Msg-id CA+U5nMKUhWA0ovjAafxsqXAyC9E1u2oQPFrCY+ybnPtxsU31Kw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: pgaudit - an auditing extension for PostgreSQL  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: pgaudit - an auditing extension for PostgreSQL  (Robert Haas <robertmhaas@gmail.com>)
Re: pgaudit - an auditing extension for PostgreSQL  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения 
On 1 July 2014 18:32, Stephen Frost <sfrost@snowman.net> wrote:

> Having functions to control the auditing would work, but it's not
> exactly the ideal approach, imv, and

What aspect is less than ideal?

> the only reason it's being
> discussed here is because it might be a way to allow an extension to
> provide the auditing- not because it's actually a benefit to anyone.

That is a false statement, as well as being a personal one. It's sad
to hear personal comments in this.

It seems strange to be advocating new grammar at a time when we are
actively reducing the size of it (see recent commits and long running
hackers discussions). Functions don't carry the same overhead, in fact
they cost nothing if you're not using them, which is the most
important point.

The right to execute functions can be delegated easily to any group
that wants access. There is no special benefit to SQL grammar on that
point.


> However, if we have such functions in a contrib extension, I worry what
> the pg_upgrade path is from that extension to an in-core solution.

Functions are already used heavily for many aspects of PostgreSQL.
http://www.postgresql.org/docs/devel/static/functions-admin.html

Presumably you don't advocate an "in core" solution to replace
pg_cancel_backend() etc?

My proposed route for making this "in-core" is simply to accept that
the extension is "in core". Auditing should, in my view, always be
optional, since not everyone needs it. Cryptographic functions aren't
in-core either and I'm guessing various security conscious
organizations will use them and be happy. How does pgaudit differ from
pgcrypto?


Given the tone of this discussion, I don't see it going anywhere
further anytime soon - that is good since there is no big rush.
pgaudit is a sincere attempt to add audit functionality to Postgres.
If you or anyone else wants to make a similarly sincere attempt to add
audit functionality to Postgres, lets see the design and its
connection to requirements.

-- Simon Riggs                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Abhijit Menon-Sen
Дата:
Сообщение: Re: 9.5 CF1
Следующее
От: Jeevan Chalke
Дата:
Сообщение: Re: Allowing NOT IN to use ANTI joins