Hello, I'm authenticating to postgres using GSSAPI and (for audit reasons) I need to be able to log the principle name that connects as well as the username it is mapped to. Is there any way I can get postgres to log this without cranking up the log level for everything? Thanks very much , Joshua Warburton
Joshua,
* Joshua Warburton (j.warburton@irax.com) wrote:
> I'm authenticating to postgres using GSSAPI and (for audit reasons)
> I need to be able to log the principle name that connects as well as
> the username it is mapped to. Is there any way I can get postgres to
> log this without cranking up the log level for everything?
Not easily, I don't think. The Kerberos logs should be able to tell you
every postgres/HOST@REALM ticket which is issued and while that's not
great it's at least something.
Another option is to just use the full princ *as* the PG username, which
works fine but can be a bit annoying when you're trying to GRANT
permissions, etc (I'd suggest using a lot of roles :).
Improving this has been one of those things that I've wanted to do for a
long time... Probably by just adding the "System Username" or similar
to the "connection authorized" log message. Would that work for your
need..?
Thanks,
Stephen
Сайт использует файлы cookie для корректной работы и повышения удобства. Нажимая кнопку «Принять» или продолжая пользоваться сайтом, вы соглашаетесь на их использование в соответствии с Политикой в отношении обработки cookie ООО «ППГ», в том числе на передачу данных из файлов cookie сторонним статистическим и рекламным службам. Вы можете управлять настройками cookie через параметры вашего браузера