Joshua, * Joshua Warburton (j.warburton@xxxxxxxx) wrote: > I'm authenticating to postgres using GSSAPI and (for audit reasons) > I need to be able to log the principle name that connects as well as > the username it is mapped to. Is there any way I can get postgres to > log this without cranking up the log level for everything? Not easily, I don't think. The Kerberos logs should be able to tell you every postgres/HOST@REALM ticket which is issued and while that's not great it's at least something. Another option is to just use the full princ *as* the PG username, which works fine but can be a bit annoying when you're trying to GRANT permissions, etc (I'd suggest using a lot of roles :). Improving this has been one of those things that I've wanted to do for a long time... Probably by just adding the "System Username" or similar to the "connection authorized" log message. Would that work for your need..? Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
