Skip to content
This repository has been archived by the owner on Aug 22, 2024. It is now read-only.

Security considerations

Jump to bottom
Alexey Lesovsky edited this page Jul 3, 2021 · 4 revisions

Security considerations

For collecting metrics and auto-discovery pgSCV requires some kind of privileges. pgSCV uses the following sources for collecting metrics:

  • reading procfs and sysfs pseudo-filesystems
  • reading Postgres and Pgbouncer log files
  • reading Postgres stats views beginning from pg_stat prefix
  • reading Postgres system catalog tables
  • executing Postgres functions for reading configs, stats, files metadata, etc.
  • walking on filesystem paths inside Postgres data directory (auto-discovery)
  • walking filesystem paths in /etc (auto-discovery)
  • reading Pgbouncer stats from pgbouncer built-in database.

System access

  • regular, unprivileged system user is sufficient to read all necessary stats.
  • this user must have access to Postgres/Pgbouncer log directories

Postgres access

  • regular, unprivileged database role is NOT sufficient to read all necessary stats
  • at least pg_monitor and pg_read_server_files roles must be granted to the role (available since Postgres 10)
  • an EXECUTE privilege must be granted on pg_current_logfile() function in database used for connecting (default is postgres)

Pgbouncer access

  • user specified in stats_users of pgbouncer.ini is sufficient to read all necessary stats.

Auto-update procedure pgSCV can check new releases on Github releases page, when new version is available, pgSCV can automatically fetch it and upgrade itself. This is recommended for Weaponry users for automatically delivering new features.

The main issue here, pgSCV requires root privileges for restarting systemd service during upgrade. Before executing systemctl restart pgscv, pgSCV checks its user UID - if it is 0 (root) it executes restart as is. If it is greater than 0, it tries to restart using sudo. In such scenario sudoers should be adjusted:

postgres   ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl restart pgscv.service

If security policy restrict to run pgSCV with root or sudo privileges, auto-update should be disabled at bootstrap or in pgscv.yaml.

Metrics exposition In case of running in public or untrusted networks, /metrics endpoint could be protected with Basic authentication and TLS encryption.

Clone this wiki locally