+ New Ticket

show user sessions - insufficient privilege

Comments

6 comments

  • Avatar
    Oleg Popivnenko
    Hi Omer,

    The tool uses pg_catalog.pg_stat_activity for obtaining session list.
    Please try selecting * from pg_catalog.pg_stat_activity and see if it works.
    0
    Comment actions Permalink
  • Avatar
    omer brandis
    Hi oleg,

    as i've mentioned in the original post,
    the user is permitted to select from pg_stat_activity.
    ( we have tripple checked this).

    thanks,
    omer.
    0
    Comment actions Permalink
  • Avatar
    Oleg Popivnenko
    Hi Omer,

    It looks like I have misinterpreted your request.
    It is normal that the users that do not have privileges to see actual command text do not see it.
    This has nothing to do with permissions for accessing the pg_catalog.pg_stat_activity system view.
    For example, i do not see actual command tixt for the queries executed in a context of a database i have no privileges for accessing.
    However, if i switch to my own database, where i am an owner, i can see everything just fine.
    I hope that helps.
    0
    Comment actions Permalink
  • Avatar
    omer brandis
    Hi oleg,

    i fear that you have still not answered the question.

    the question is - what/which authorization/permission is missing so that a user will be able to view the sql text?

    is it superuser?
    is it ownership over a database?

    is the permission missing at the database level ?
    or does aginity add its own logic/security layer?

    what is the operation that is performed by aginity in order to get this info?
    what is the greenplum/postgresql error message that is returned by the database in this case?


    * i need some users to be able to view the information,
    but i can't grant then ownership over the database or superuser.

    if this is an aginity issue, i would like this restriction removed.
    if its another permission missing at the db layer, i'll grant it
    if this problem is caused by db requirements/limitations, i'll open a ticket at emc.

    right now, i don't know where to go....


    thanks,
    omer.
    0
    Comment actions Permalink
  • Avatar
    omer brandis
    i found the answer.

    its normal behavior for pg_stat_activity :
    pg_stat_activity
    The view pg_stat_activity shows one row per server process and details about it associated user session and query. The columns that report data on the current query are available unless the parameter stats_command_string has been turned off. Furthermore, these columns are only visible if the user examining the view is a superuser or the same as the user owning the process being reported on.

    so , i guess i'll try to workaround this limitation with a security definer function that returns the data.

    0
    Comment actions Permalink
  • Avatar
    omer brandis

    thanks Oleg.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.