* Jim Nasby (jim.na...@bluetreble.com) wrote: > On 1/23/15 12:16 PM, Stephen Frost wrote: > >Just to clarify- this concept isn't actually mine but was suggested by a > >pretty sizable PG user who has a great deal of familiarity with other > >databases. I don't mean to try and invoke the 'silent majority' but > >rather to make sure folks don't think this is my idea alone or that it's > >only me who thinks it makes sense.:) Simon had weighed in earlier > >with, iirc, a comment that he thought it was a good approach also, > >though that was a while ago and things have changed. > > I know there's definitely demand for auditing. I'd love to see us support it. > > >I happen to like the idea specifically because it would allow regular > >roles to change the auditing settings (no need to be a superuser or to > >be able to modify postgresql.conf/postgresql.auto.conf) > > Is there really a use case for non-superusers to be able to change auditing > config? That seems like a bad idea.
What's a bad idea is having every auditor on the system running around
as superuser..
> Also, was there a solution to how to configure auditing on specific objects
> with a role-based mechanism? I think we really do need something akin to
> role:action:object tuples, and I don't see how to do that with roles alone.
That is supported with the grant-based proposal.
> BTW, I'm starting to feel like this needs a wiki page to get the design
> pulled together.
I agree with that and was planning to offer help with the documentation
and building of such a wiki with examples, etc, once the implementation
was far enough along to demonstrate that the design will actually work..
Thanks!
Stephen
signature.asc
Description: Digital signature
