Participants
El Co
El Co
Pavel Stehule
Pavel Stehule
Kenneth Buckler
Kenneth Buckler
Attachments
Show all attachments
Thread Outline
#1El CoEl Co
Jan 26, 2011
#2Pavel StehulePavel Stehuleto El Co (#1)
Jan 27, 2011
#3Kenneth BucklerKenneth Bucklerto El Co (#1)
Jan 28, 2011

Adding ddl audit trigger

Started by El Coabout 15 years ago3 messagesgeneral
Jump to latest
#1El Co
El Co
lc4od@yahoo.com

Trying to get some DDL auditing in a development environment by adding triggers
to pg_proc, pg_class,pg_type,pg_trigger and getting the following error:
 
ERROR: permission denied: "pg_proc" is a system catalog
SQL state: 42501
 
Is there any way to achieve DDL auditing in Postgres and trace any
new/dropped/changed object into a table? All I need is to at least be able and
save a userid(current_user), timestamp, action, and the name of the object and
this could be done easily by adding triggers to these pg catalogs.

#2Pavel Stehule
Pavel Stehule
pavel.stehule@gmail.com
In reply to: El Co (#1)
Re: Adding ddl audit trigger

Hello

2011/1/26 El Co <lc4od@yahoo.com>:

Trying to get some DDL auditing in a development environment by adding
triggers to pg_proc, pg_class,pg_type,pg_trigger and getting the following
error:

ERROR: permission denied: "pg_proc" is a system catalog

SQL state: 42501

Is there any way to achieve DDL auditing in Postgres and trace any
new/dropped/changed object into a table?

no, it isn't

All I need is to at least be able and save a userid(current_user),
timestamp, action, and the name of the object and this could be done easily
by adding triggers to these pg catalogs.

you, can't do it this on PostgreSQL level. Probably you can revoke a
rights to DDL op. Then you are sure, so nobody will do some DDL op.
Next step can be a custom procedure in PL/pgSQL with security definer
right, that can do DDL via dynamic SQL. This procedure can trace a
info to log. A user can use DDL via this procedure.

Regards

Pavel Stehule

#3Kenneth Buckler
Kenneth Buckler
kenneth.buckler@gmail.com
In reply to: El Co (#1)
Re: Adding ddl audit trigger

You just need to log DDL, correct?

Why not just edit postgres.conf and set log_statement to 'ddl'.

See http://www.postgresql.org/docs/9.0/static/runtime-config-logging.html

If you need to include username, database, etc, take a look at
log_line_prefix on the same page.

Ken

Show quoted text

On Wed, Jan 26, 2011 at 4:30 PM, El Co <lc4od@yahoo.com> wrote:

Trying to get some DDL auditing in a development environment by adding
triggers to pg_proc, pg_class,pg_type,pg_trigger and getting the following
error:

ERROR: permission denied: "pg_proc" is a system catalog

SQL state: 42501

Is there any way to achieve DDL auditing in Postgres and trace any
new/dropped/changed object into a table?

All I need is to at least be able and save a userid(current_user),
timestamp, action, and the name of the object and this could be done easily
by adding triggers to these pg catalogs.

← Back to Topics