Обсуждение: [ADMIN] monitoring queries in pg_stat_activity
Hi all:
I have created a nosuperuser for monitoring, but I can't do a select on the pg_stat_activity table, I get the follow message:
select datid,xact_start,query from pg_catalog.pg_stat_activity;
-[ RECORD 1 ]----+------------------------
datid | 204816
xact_start |
query | <insufficient privilege>
I have assigned these grants to my user:
GRANT ALL ON SCHEMA pg_catalog to myuser;
GRANT SELECT ON ALL TABLES IN schema pg_catalog TO myuser;
The user not should be a superuser. does there are other way for solve it?
thanks to all
On Wed, Feb 1, 2017 at 12:51 PM, daniel aristizabal franco <danielaristi@gmail.com> wrote:
Hi all:I have created a nosuperuser for monitoring, but I can't do a select on the pg_stat_activity table, I get the follow message:select datid,xact_start,query from pg_catalog.pg_stat_activity;-[ RECORD 1 ]----+-------------------------------------------- datid | 204816xact_start |query | <insufficient privilege>I have assigned these grants to my user:GRANT ALL ON SCHEMA pg_catalog to myuser;GRANT SELECT ON ALL TABLES IN schema pg_catalog TO myuser;The user not should be a superuser. does there are other way for solve it?thanks to all
You can create a function, owned by a superuser, with the SECURITY DEFINER flag set. Then give your non-superuser role permissions to execute it. SECURITY DEFINER tells postgres to run the given function as the owner, not the user calling it, so have to be careful with what those functions do. In this case, you can just have the function SELECT * FROM pg_stat_activity and return those results.
By default pg_stat_activity only shows running queries that the current user is running and has access to.
CREATE FUNCTION pg_stat_activity() RETURNS SETOF pg_catalog.pg_stat_activity
AS $$
BEGIN
RETURN query(select * from pg_catalog.pg_stat_activity);
END
$$ LANGUAGE PLPGSQL SECURITY DEFINER;
REVOKE ALL ON FUNCTION pg_stat_activity() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_stat_activity() TO myuser;
CREATE FUNCTION pg_stat_activity() RETURNS SETOF pg_catalog.pg_stat_activity
AS $$
BEGIN
RETURN query(select * from pg_catalog.pg_stat_activity);
END
$$ LANGUAGE PLPGSQL SECURITY DEFINER;
REVOKE ALL ON FUNCTION pg_stat_activity() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_stat_activity() TO myuser;
On Wed, Feb 1, 2017 at 12:51 PM, daniel aristizabal franco <danielaristi@gmail.com> wrote:Hi all:I have created a nosuperuser for monitoring, but I can't do a select on the pg_stat_activity table, I get the follow message:select datid,xact_start,query from pg_catalog.pg_stat_activity;-[ RECORD 1 ]----+-------------------------------------------- datid | 204816xact_start |query | <insufficient privilege>You can create a function, owned by a superuser, with the SECURITY DEFINER flag set. Then give your non-superuser role permissions to execute it. SECURITY DEFINER tells postgres to run the given function as the owner, not the user calling it, so have to be careful with what those functions do. In this case, you can just have the function SELECT * FROM pg_stat_activity and return those results.By default pg_stat_activity only shows running queries that the current user is running and has access to.
I think that behavior is version dependent among the currently supported releases - so what is the version here?
I ask specifically because I thought that activity was shown for all sessions but details were based on permissions. The single result shown would have to be the executing user's session which they should also have permission to view (in recent releases). That presumes that RECORD 2 and so on weren't simply omitted.
CREATE FUNCTION pg_stat_activity() RETURNS SETOF pg_catalog.pg_stat_activity
AS $$
BEGIN
RETURN query(select * from pg_catalog.pg_stat_activity);
END
$$ LANGUAGE PLPGSQL SECURITY DEFINER;
REVOKE ALL ON FUNCTION pg_stat_activity() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pg_stat_activity() TO myuser;
Yes, this the work-around.
David J.