Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hides the password output in logs when pgaudit is enabled #3175

Merged
merged 1 commit into from
Oct 9, 2024

Conversation

kviset
Copy link
Contributor

@kviset kviset commented Oct 2, 2024

Patroni logging superuser, replication and rewind passwords in logs when PostgreSQL extensions PGAUDIT enabled.

patroni.yaml:

bootstrap:
  dcs:
    postgresql:
      parameters:
        shared_preload_libraries: pgaudit
        log_destination: "stderr"
        logging_collector: 'off'
        pgaudit.log_catalog: 'off'
        pgaudit.log: "ROLE,FUNCTION,DDL"
        pgaudit.log_relation: 'on'
        pgaudit.log_parameter: 'on'
postgresql:
  authentication:
    replication:
      username: replicator
      password: password
    superuser:  
      username: postgres
      password: password
    rewind:
      username: rewind
      password: password

Logs:

2024-10-02 08:17:40 UTC postgres@postgres 127.0.0.1(44328) [34]:LOG:  connection authorized: user=postgres database=postgres appli>
2024-10-02 08:17:40 UTC postgres@postgres 127.0.0.1(44328) [34]:LOG:  AUDIT: SESSION,1,1,FUNCTION,DO,,,"DO $$
        BEGIN
            SET local synchronous_commit = 'local';
            PERFORM * FROM pg_catalog.pg_authid WHERE rolname = 'postgres';
            IF FOUND THEN
                ALTER ROLE ""postgres"" WITH SUPERUSER LOGIN PASSWORD 'password';
            ELSE
                CREATE ROLE ""postgres"" WITH SUPERUSER LOGIN PASSWORD 'password';
            END IF;
        END;$$",<none>

@coveralls
Copy link

Pull Request Test Coverage Report for Build 11141084501

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.001%) to 99.875%

Totals Coverage Status
Change from base Build 11068112303: 0.001%
Covered Lines: 14326
Relevant Lines: 14344

💛 - Coveralls

@hughcapet hughcapet added this to the Sprint 2024.18 milestone Oct 4, 2024
@CyberDem0n CyberDem0n merged commit 877acf2 into patroni:master Oct 9, 2024
25 checks passed
CyberDem0n pushed a commit that referenced this pull request Oct 16, 2024
pgaudit could be added to shared_preload_libraries, but we don't check for it, because setting a custom GUC works in all cases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants