* Abhijit Menon-Sen (a...@2ndquadrant.com) wrote: > At 2015-01-20 21:47:02 -0500, sfr...@snowman.net wrote: > > Review the opening of this email though and consider that we could > > look at "what privileges has the audit role granted to the current > > role?" as defining what is to be audited. > > Right, I understand now how that would work. I'll try to find time to > (a) implement this, (b) remove the backwards-compatibility code, and > (c) split up the USE_DEPARSE_FUNCTIONS stuff.
Great! Thanks! > > > For example, what if I want to see all the tables created and > > > dropped by a particular user? > > > > I hadn't been intending to address that with this scheme, but I think > > we have that by looking for privilege grants where the audit role is > > the grantee and the role-to-be-audited the grantor. > > For CREATE, yes, with a bit of extra ACL-checking code in the utility > hook; but I don't think we'll get very far without the ability to log > ALTER/DROP too. :-) So there has to be some alternative mechanism for > that, and I'm hoping Robert (or anyone!) has something in mind. ALTER/DROP can be logged based on the USAGE privilege for the schema. We can't differentiate those cases but we can at least handle them as a group. Thanks! Stephen
signature.asc
Description: Digital signature