1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00

Default monitoring roles

Three nologin roles with non-overlapping privs are created by default
* pg_read_all_settings - read all GUCs.
* pg_read_all_stats - pg_stat_*, pg_database_size(), pg_tablespace_size()
* pg_stat_scan_tables - may lock/scan tables

Top level role - pg_monitor includes all of the above by default, plus others

Author: Dave Page
Reviewed-by: Stephen Frost, Robert Haas, Peter Eisentraut, Simon Riggs
This commit is contained in:
Simon Riggs
2017-03-30 14:18:53 -04:00
parent e984ef5861
commit 25fff40798
30 changed files with 196 additions and 55 deletions

View File

@ -10221,15 +10221,17 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry><type>text</type></entry>
<entry>Configuration file the current value was set in (null for
values set from sources other than configuration files, or when
examined by a non-superuser);
helpful when using <literal>include</> directives in configuration files</entry>
examined by a user who is neither a superuser or a member of
<literal>pg_read_all_settings</literal>); helpful when using
<literal>include</> directives in configuration files</entry>
</row>
<row>
<entry><structfield>sourceline</structfield></entry>
<entry><type>integer</type></entry>
<entry>Line number within the configuration file the current value was
set at (null for values set from sources other than configuration files,
or when examined by a non-superuser)
or when examined by a user who is neither a superuser or a member of
<literal>pg_read_all_settings</literal>).
</entry>
</row>
<row>

View File

@ -19408,9 +19408,11 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
accept the OID or name of a database or tablespace, and return the total
disk space used therein. To use <function>pg_database_size</function>,
you must have <literal>CONNECT</> permission on the specified database
(which is granted by default). To use <function>pg_tablespace_size</>,
you must have <literal>CREATE</> permission on the specified tablespace,
unless it is the default tablespace for the current database.
(which is granted by default), or be a member of the <literal>pg_read_all_stats</>
role. To use <function>pg_tablespace_size</>, you must have
<literal>CREATE</> permission on the specified tablespace, or be a member
of the <literal>pg_read_all_stats</> role unless it is the default tablespace for
the current database.
</para>
<para>
@ -19736,7 +19738,8 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
<entry><type>setof record</type></entry>
<entry>
List the name, size, and last modification time of files in the log
directory. Access may be granted to non-superuser roles.
directory. Access is granted to members of the <literal>pg_monitor</>
role and may be granted to other non-superuser roles.
</entry>
</row>
<row>
@ -19746,7 +19749,8 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
<entry><type>setof record</type></entry>
<entry>
List the name, size, and last modification time of files in the WAL
directory. Access may be granted to non-superuser roles.
directory. Access is granted to members of the <literal>pg_monitor</>
role and may be granted to other non-superuser roles.
</entry>
</row>
<row>
@ -19807,8 +19811,8 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
<para>
<function>pg_ls_logdir</> returns the name, size, and last modified time
(mtime) of each file in the log directory. By default, only superusers
can use this function, but access may be granted to others using
<command>GRANT</command>.
and members of the <literal>pg_monitor</> role can use this function.
Access may be granted to others using <command>GRANT</command>.
</para>
<indexterm>
@ -19817,8 +19821,9 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
<para>
<function>pg_ls_waldir</> returns the name, size, and last modified time
(mtime) of each file in the write ahead log (WAL) directory. By
default only superusers can use this function, but access may be granted
to others using <command>GRANT</command>.
default only superusers and members of the <literal>pg_monitor</> role
can use this function. Access may be granted to others using
<command>GRANT</command>.
</para>
<indexterm>

View File

@ -24,8 +24,9 @@
</para>
<para>
By default public access is revoked from both of these, just in case there
are security issues lurking.
By default use is restricted to superusers and members of the
<literal>pg_read_all_stats</literal> role. Access may be granted to others
using <command>GRANT</command>.
</para>
<sect2>

View File

@ -16,8 +16,9 @@
</para>
<para>
By default public access is revoked from the functions, just in case
there are security issues lurking.
By default use is restricted to superusers and members of the
<literal>pg_stat_scan_tables</literal> role. Access may be granted to others
using <command>GRANT</command>.
</para>
<sect2>

View File

@ -12,6 +12,13 @@
locking information for a specified table.
</para>
<para>
By default use is restricted to superusers, members of the
<literal>pg_stat_scan_tables</literal> role, and users with
<literal>SELECT</literal> permissions on the table.
</para>
<sect2>
<title>Overview</title>

View File

@ -226,10 +226,11 @@
</table>
<para>
For security reasons, non-superusers are not allowed to see the SQL
text or <structfield>queryid</structfield> of queries executed by other users.
They can see the statistics, however, if the view has been installed in their
database.
For security reasons, only superusers and members of the
<literal>pg_read_all_stats<literal> role are allowed to see the SQL text and
<structfield>queryid</structfield> of queries executed by other users.
Other users can see the statistics, however, if the view has been installed
in their database.
</para>
<para>

View File

@ -16,7 +16,8 @@
As these functions return detailed page-level information, only the superuser
has EXECUTE privileges on them upon installation. After the functions have
been installed, users may issue <command>GRANT</command> commands to change
the privileges on the functions to allow non-superusers to execute them. See
the privileges on the functions to allow non-superusers to execute them. Members
of the <literal>pg_stat_scan_tables</literal> role are granted access by default. See
the description of the <xref linkend="sql-grant"> command for specifics.
</para>

View File

@ -140,7 +140,10 @@
</variablelist>
<para>
By default, these functions are executable only by superusers.
By default, these functions are executable only by superusers and members of the
<literal>pg_stat_scan_tables</literal> role, with the exception of
<function>pg_truncate_visibility_map(relation regclass)</function> which can only
be executed by superusers.
</para>
</sect2>

View File

@ -515,14 +515,50 @@ DROP ROLE doomed_role;
</row>
</thead>
<tbody>
<row>
<entry>pg_read_all_settings</entry>
<entry>Read all configuration variables, even those normally visible only to
superusers.</entry>
</row>
<row>
<entry>pg_read_all_stats</entry>
<entry>Read all pg_stat_* views and use various statistics related extensions,
even those normally visible only to superusers.</entry>
</row>
<row>
<entry>pg_stat_scan_tables</entry>
<entry>Execute monitoring functions that may take AccessShareLocks on tables,
potentially for a long time.</entry>
</row>
<row>
<entry>pg_signal_backend</entry>
<entry>Send signals to other backends (eg: cancel query, terminate).</entry>
</row>
<row>
<entry>pg_monitor</entry>
<entry>Read/execute various monitoring views and functions.
This role is a member of <literal>pg_read_all_settings</literal>,
<literal>pg_read_all_stats</literal> and
<literal>pg_stat_scan_tables</literal>.</entry>
</row>
</tbody>
</tgroup>
</table>
<para>
The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
<literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
roles are intended to allow administrators to easily configure a role for the
purpose of monitoring the database server. They grant a set of common privileges
allowing the role to read various useful configuration settings, statistics and
other system information normally restricted to superusers.
</para>
<para>
Care should be taken when granting these roles to ensure they are only used where
needed to perform the desired monitoring.
</para>
<para>
Administrators can grant access to these roles to users using the GRANT
command: