Comments (5)
So this example is actually incorrect and I removed the relevant part when trying to anonymise the query. What actually happens is that when you do SELECT ... FOR UPDATE
then the read gets logged even though there is no SELECT granted on the auditor.
For example like this
-- Create test5 and add permissions
CREATE TABLE test5
(
id int
);
GRANT select,insert, update, delete
ON TABLE public.test5
TO auditor;
--
-- Not object logged because SELECT not granted
SELECT id
FROM public.test5;
INSERT INTO public.test5 (id)
VALUES (0);
Relevant output that should not be there:
WARNING: AUDIT: OBJECT,5,1,READ,SELECT,TABLE,public.test5,"SELECT id
FROM public.test5 FOR UPDATE;",<not logged>
Would it be possible to handle this or is this "working as advertised" ?
from pgaudit.
Found the relevant part of the Postgres code
https://doxygen.postgresql.org/parsenodes_8h_source.html#l00100
/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
#define ACL_SELECT_FOR_UPDATE ACL_UPDATE
from pgaudit.
Here's a proof of concept PR to check if it is possible #219
from pgaudit.
@v3rm0n given that SELECT ... FOR UPDATE
is a write operation, requiring UPDATE
privileges seems correct, although I'll admit it's a little strange on first reading. It also implies a later update, and I can't think of a use-case (at the Postgres level, not thinking of pgAudit) for SELECT ... FOR UPDATE
for a user that doesn't have privileges to then perform the update it has locked for?
Based on this, I'd suggest this is probably working as intended. I'm not familiar with pgAudit, but perhaps audit logs could be filtered post-hoc before ingestion into other systems in order to reduce verbosity?
from pgaudit.
@danpalmer makes sense in general, but in my specific case we use AWS RDS where you can't control the logging much, you either use CloudWatch or nothing and when it arrives in CloudWatch, the cost is already occurred. For usability reasons we can filter it afterwards, but we can't reduce the cost anymore.
Another thought is that since there is a pgaudit.log parameter for session logs which controls the granularity of session logs, there can be a similar parameter for object logs where one could enable/disable logging in case of different types of row locks which translate to SELECT ... FOR UPDATE, SELECT ... FOR SHARE etc.
from pgaudit.
Related Issues (20)
- Don't log parameters but only for CREATE queries or only for one relation HOT 1
- `INSERT` with `RETURNING` emits a log over a column that's not being selected
- Not getting log using pgaudit HOT 1
- Hydra database supporting HOT 1
- ERROR: could not find function "pgaudit_ddl_command_end" in file "C:/Program Files/PostgreSQL/13/lib/pgaudit.dll.
- Audit log csv by pgaudit version 1.6.2 has 3 extra columns HOT 11
- SegV error from log_select_dml() HOT 5
- Help: How to save logs into database?
- password visible during create user and grant role simultaneously via pgadmin HOT 15
- PostgreSQL 16 support HOT 11
- log_catalog is off, but still some catalog SQL is logged HOT 3
- Unable to find required files
- Bad search_path in extension script HOT 2
- Unable to install pgaudit on RHEL 8
- Pgaudit make command fails for REL_13_STABLE
- Connection Drop and PgAudit disabled HOT 5
- Exclude role/user in auditing when superuser role is not available HOT 1
- PgAudit stack is not empty HOT 1
- Multiple errors : Generating during creation of pgaudit.dll
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pgaudit.