About a recently-added permission-related error message

Started by Kyotaro Horiguchialmost 3 years ago2 messages

horikyota.ntt@gmail.com

almost 3 years ago

1 attachment(s)

I found an error message added by de4d456b406bf502341ef526710d3f764b41e2c8.

When I incorrectly configured the primary_conninfo with the wrong
user, I received the following message on the server logs of both
servers involved in a physical replcation set.

[27022:walsender] FATAL: permission denied to start WAL sender
[27022:walsender] DETAIL: Only roles with the REPLICATION attribute may start a WAL sender process.

I'm not sure if adding the user name in the log prefix is a common
practice, but without it, the log line might not have enough
information. Unlike other permission-related messages, this message is
not the something human operators receive in response to their
actions. It seems similar to connection authorization logs where the
user name is important. So, I'd like to propose the following
alternative.

[27022:walsender] DETAIL: The connection user "r1" requires the REPLICATION attribute.

What do you think about this change?

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

Attachments:

change_a_permission_related_error_message.difftext/x-patch; charset=us-asciiDownload

diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 31d6a05426..31b33524ad 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -972,8 +972,8 @@ InitPostgres(const char *in_dbname, Oid dboid,
 			ereport(FATAL,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to start WAL sender"),
-					 errdetail("Only roles with the %s attribute may start a WAL sender process.",
-							   "REPLICATION")));
+					 errdetail("The connection user \"%s\" requires the %s attribute.",
+							   username, "REPLICATION")));
 	}
 
 	/*

Yugo NAGATA

nagata@sraoss.co.jp

almost 3 years ago

In reply to: Kyotaro Horiguchi (#1)

Re: About a recently-added permission-related error message

On Mon, 20 Mar 2023 17:05:41 +0900 (JST)
Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote:

I found an error message added by de4d456b406bf502341ef526710d3f764b41e2c8.

When I incorrectly configured the primary_conninfo with the wrong
user, I received the following message on the server logs of both
servers involved in a physical replcation set.

[27022:walsender] FATAL: permission denied to start WAL sender
[27022:walsender] DETAIL: Only roles with the REPLICATION attribute may start a WAL sender process.

I'm not sure if adding the user name in the log prefix is a common
practice, but without it, the log line might not have enough
information. Unlike other permission-related messages, this message is
not the something human operators receive in response to their
actions. It seems similar to connection authorization logs where the
user name is important. So, I'd like to propose the following
alternative.

I am not sure whether this change is necessary because the error message
will appear in the log of the standby server and users can easily know
the connection user just by checking primary_conninfo.

[27022:walsender] DETAIL: The connection user "r1" requires the REPLICATION attribute.

However, if we need this change, how about using
"DETAIL: The connection user "r1" must have the REPLICATION attribute."
This pattern is used in other part like check_object_ownership() and
AlterRole(). The user name is not included there, though.

Regards,
Yugo Nagata

What do you think about this change?

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

--
Yugo NAGATA <nagata@sraoss.co.jp>