Showing results for 
Search instead for 
Did you mean: 

Hiding Password Commands from Database Logs

It has been bugging a lot of users using the PostgreSQL or EPAS servers, that the database logs will include the clear text password when you use ALTER USER statements with log_statement set to all.

This can now be handled in EPAS 11 server using a new GUC. You would need to load edb_filter_log contrib module to enable it.


 If edb_filter_log.redact_alter_password is set to true, the system will watch for commands of the form


ALTER {USER|ROLE|GROUP} identifier PASSWORD 'nonempty_string_literal'

If such a statement is logged via log_statement, the 'nonempty_string_literal' portion will be changed to say 'x' instead, concealing the password supplied as an argument. If such a statement generates an error message that would normally have a STATEMENT: context line attached, the context line will be hidden for the same reason.


In order to apply these setting a user would need to enable edb_filter_log. Refer the below test case.


>> Edit the postgresql.conf file and add the edb_filter_log to the loaded libraries.


shared_preload_libraries = '$libdir/edb_filter_log'


>> Restart the database server to apply the changes.

>> Login to the database and set redact_password_commands to ON.


-bash-4.1$ ./psql -p 5111 edb
psql.bin (11.3.10)
Type "help" for help.
edb=# ALTER SYSTEM SET edb_filter_log.redact_password_commands TO 'on';

edb=# select pg_reload_conf();
(1 row)

 Once the configurations are loaded, the passwords for all the alter commands will be replaced by an 'x'.


For example:


If you use a statement with a password, it displayed the password in clear text in the database logs.


edb=# alter user vipul identified by 'edb';

LOG: 2019-06-04 14:15:01 IST LOG: statement: alter user vipul identified by 'edb';




After enabling the redact_password_commands.


edb=# alter user vipul identified by 'newpass';

LOG: 2019-06-04 14:17:07 IST LOG: statement: alter user vipul identified by 'x';

Version history
Revision #:
1 of 1
Last update:
‎06-04-2019 06:49 AM
Updated by: