cancel
Showing results for 
Search instead for 
Did you mean: 

Hiding Password Commands from Database Logs

It has been bugging a lot of users using the PostgreSQL or EPAS servers, that the database logs will include the clear text password when you use ALTER USER statements with log_statement set to all.

This can now be handled in EPAS 11 server using a new GUC. You would need to load edb_filter_log contrib module to enable it.

 

 If edb_filter_log.redact_alter_password is set to true, the system will watch for commands of the form

 

ALTER {USER|ROLE|GROUP} identifier PASSWORD 'nonempty_string_literal'

If such a statement is logged via log_statement, the 'nonempty_string_literal' portion will be changed to say 'x' instead, concealing the password supplied as an argument. If such a statement generates an error message that would normally have a STATEMENT: context line attached, the context line will be hidden for the same reason.

 

In order to apply these setting a user would need to enable edb_filter_log. Refer the below test case.

 

>> Edit the postgresql.conf file and add the edb_filter_log to the loaded libraries.

 

shared_preload_libraries = '$libdir/edb_filter_log'

 

>> Restart the database server to apply the changes.

>> Login to the database and set redact_password_commands to ON.

 

-bash-4.1$ ./psql -p 5111 edb
psql.bin (11.3.10)
Type "help" for help.
edb=# ALTER SYSTEM SET edb_filter_log.redact_password_commands TO 'on';
ALTER SYSTEM

edb=# select pg_reload_conf();
pg_reload_conf 
----------------
t
(1 row)

 Once the configurations are loaded, the passwords for all the alter commands will be replaced by an 'x'.

 

For example:

==BEFORE==

If you use a statement with a password, it displayed the password in clear text in the database logs.

 

edb=# alter user vipul identified by 'edb';
ALTER ROLE

LOG: 2019-06-04 14:15:01 IST LOG: statement: alter user vipul identified by 'edb';

 

==AFTER==

 

After enabling the redact_password_commands.

 

edb=# alter user vipul identified by 'newpass';
ALTER ROLE

LOG: 2019-06-04 14:17:07 IST LOG: statement: alter user vipul identified by 'x';

Version history
Revision #:
1 of 1
Last update:
2 weeks ago
Updated by:
 
Contributors