On Sat, May 21, 2022 at 11:57:43AM -0700, Nathan Bossart wrote:
> Sorry, I should've noticed this yesterday. This should probably follow
> 6198420's example and say "roles with privileges of the pg_read_all_stats
> role" instead of "members of the pg_read_all_stats role."
Yes, I saw that, but that sounds pretty much the same to me, while we
mention membership of a role in other places. I don't mind tweaking
that more, FWIW, while we are on it.
> Also, I think we
> should mention that this information is visible to roles with privileges of
> the session user being reported on, too. Patch attached.
default. Note that even when enabled, this information is only
- visible to superusers, members of the
- <literal>pg_read_all_stats</literal> role and the user owning the
- session being reported on, so it should not represent a security risk.
- Only superusers and users with the appropriate <literal>SET</literal>
- privilege can change this setting.
+ visible to superusers, roles with privileges of the
+ <literal>pg_read_all_stats</literal> role, and roles with privileges of
+ the user owning the session being reported on, so it should not
+ represent a security risk. Only superusers and users with the
+ appropriate <literal>SET</literal> privilege can change this setting.
Regarding the fact that a user can see its own information, the last
part of the description would be right, still a bit confusing perhaps
when it comes to one's own information?
--
Michael