Re: Passwords in clear text in server log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Don,

* Don Seiler (don@xxxxxxxxx) wrote:
> On Wed, Oct 11, 2017 at 3:01 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
> 
> > We have heard many times from people who don't have enough insight, or
> > enough debug support client-side, to know exactly what queries their
> > apps are issuing.  Disabling query logging would be a horrible setback
> > for debuggability of such apps.  How many times have you said "consult
> > the postmaster log to find out what's going on"?
> 
> Not logging statements that fail to parse isn't the same as disabling query
> logging. If a statement fails to parse it can't really be considered a
> query in my opinion. When it fails to parse it *should* send a
> loud-and-clear error to whatever client-side application sent it. Granted a
> lazy developer could code their app to swallow all errors, but then I'd say
> they deserve the headache.

While I enjoy the general sentiment, it's really just overly constrained
when it comes to the development environments out there today.  Quite
often, developers aren't actually hand-crafting SQL queries but instead
letting some framework or what-have-you generate them and the error
being thrown on a parse failure could be difficult to distinguish from a
server closed connection or similar failure at the higher levels.  Yes,
ideally, that would still end up getting into a log file somewhere, but
now you're talking about the app-side log files which are often spread
across hundreds of app servers, or, at best, collected into some massive
logging system that it isn't easy to look through.

All that said, I'd be open to allowing users to decide if they wish to
log parse errors or not and perhaps we can put some caveats around that
to let people know how logging of parse errors could end up putting
things into the logs that they may not wish were there.  Further, we
could then consider doing something more interesting when it comes to
logging of ALTER ROLE statements when passwords are included, perhaps,
since the above considered switch would eliminate the concern about
syntax errors.

I'm not sure how ugly that would end up getting though, so no promises.

Thanks!

Stephen

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux