Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rYTs9-00GD3L-Kz for pgsql-hackers@arkaria.postgresql.org; Fri, 09 Feb 2024 16:37:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rYTs8-009ywf-5Y for pgsql-hackers@arkaria.postgresql.org; Fri, 09 Feb 2024 16:37:04 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rYTs7-009ywX-Sc for pgsql-hackers@lists.postgresql.org; Fri, 09 Feb 2024 16:37:03 +0000 Received: from mail-io1-xd33.google.com ([2607:f8b0:4864:20::d33]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rYTs4-006KZV-Ii for pgsql-hackers@postgresql.org; Fri, 09 Feb 2024 16:37:03 +0000 Received: by mail-io1-xd33.google.com with SMTP id ca18e2360f4ac-7bffface817so48427839f.3 for ; Fri, 09 Feb 2024 08:37:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707496618; x=1708101418; darn=postgresql.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=BlsL71QASywUpw7tXB/vMQ5PZm5+lT0UktsrgqzAaJs=; b=d84oj7WUQsCjikDNx2vrjo4mzXaNMY8hJvloHgKCcEMdKXhQNuUGVSYkJDOk77l2KK RDWX+bR+eipZVR3rbcaWclNGB/7d6ADwZmsSOZjEhjoBoobkGHT6XM+0YnlC1lQad90t K1A9BXxnyWML3sz2FXC5Ld35a81HJRe1/1u6M/ibnjry1iOpYDR1x7WXXkYiQN6/ZPav bZWqbc1okAfEZwytMvkR+YjdSCu3EUPccjLf2hZiITYKGqn0piJhYWVv4blIj0UfnWYm tWn/eKSNH+iRigOro84HWYJYXKjiCYN1NK18U/sejJiuI+MLjUFzMi4ibgY4fsTSjwmJ PsCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707496618; x=1708101418; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BlsL71QASywUpw7tXB/vMQ5PZm5+lT0UktsrgqzAaJs=; b=PcrfV2mAmEP7RNQo8lSZIgOn2RbauSXQi5rZgZI12FcHv5kO6a1yCcSVsbpP2UdAY+ 6pFuaEmTDminlN3rJxaabGFZtT5tBx7n4YeFqZE6Bm2MTIUK3UqkR5F8VMpMmBhOQzfm EtpQ2ITUg55efIzJGg14lcNVRLbvZOP0kReI5/ynhgrSvZCGTCdvdsyDtXanS3YAm6KT 4P0T4mrFBr+Kb8A+kXrimvahjTBldt2p+M/qr3+UVb2vMQF1almGBC0U/NVsv/5zNFSC KSl/WsAPDqUJzHvtGntASizIbNoRdJKzBy0YR3qm1GT3SO283bPr/WBJ5JxmW3xXHTkt QUjw== X-Gm-Message-State: AOJu0YygzNhGSs0ekx/39wMNoyy+h+yQgyM/+jmh6oLHoDDQ8xDRiJFL jpm0cFk6qm0PekJQuhswd6UNWrctLyjSOa7cfkYIA5TuY+LdtmsnDNlU4ars X-Google-Smtp-Source: AGHT+IFsMb+lkhbbQUH3dwvjc5APLY3iciSxHxKt9ck+j1GW+Jkvx0gYnPqz1j7n88SNoL/bgtzNCg== X-Received: by 2002:a05:6602:70e:b0:7c4:868:e04c with SMTP id f14-20020a056602070e00b007c40868e04cmr2480355iox.3.1707496618705; Fri, 09 Feb 2024 08:36:58 -0800 (PST) Received: from nathanxps13 (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172]) by smtp.gmail.com with ESMTPSA id z9-20020a023449000000b00473535d00absm73501jaz.16.2024.02.09.08.36.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 08:36:58 -0800 (PST) Date: Fri, 9 Feb 2024 10:36:57 -0600 From: Nathan Bossart To: Pavlo Golub Cc: pgsql-hackers Subject: Re: [PATCH] allow pg_current_logfile() execution under pg_monitor role Message-ID: <20240209163657.GC663211@nathanxps13> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Feb 09, 2024 at 04:01:58PM +0100, Pavlo Golub wrote: > The patch attached fixes an oversight/inconsistency of disallowing the > pg_monitor system role to execute pg_current_logfile([text]). I think this is reasonable. We allow pg_monitor to execute functions like pg_ls_logdir(), so it doesn't seem like much of a stretch to expect it to have privileges for pg_current_logfile(), too. Are there any other functions that pg_monitor ought to have privileges for? -- Nathan Bossart Amazon Web Services: https://aws.amazon.com