Skip to content

#258 Document running as non-superuser on PostgreSQL versions 10 or newer. #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 26, 2022
Merged

#258 Document running as non-superuser on PostgreSQL versions 10 or newer. #590

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
545c3b7
#258 Document running as non-superuser on PostgreSQL versions 10 or n…
juris-greitans Nov 17, 2021
7c76896
Fix issues mentioned in review. Add link to PostgreSQL documentation …
juris-greitans Nov 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 19 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,14 +203,10 @@ If you want to include only subset of databases, you can use option `--include-d

### Running as non-superuser

To be able to collect metrics from `pg_stat_activity` and `pg_stat_replication`
as non-superuser you have to create functions and views as a superuser, and
assign permissions separately to those.

In PostgreSQL, views run with the permissions of the user that created them so
they can act as security barriers. Functions need to be created to share this
data with the non-superuser. Only creating the views will leave out the most
important bits of data.
To be able to collect metrics from `pg_stat*` views as non-superuser in PostgreSQL
server versions >= 10 you can grant pg_monitor built-in role to the user. If
Copy link
Contributor

@mbanck mbanck Nov 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"you can grant the pg_monitor built-in role" I'd say, maybe also markup pg_monitor with backticks, like pg_stat* before.
Also, I guess technically the pg_read_all_stats role would suffice, so maybe mention both

Copy link
Contributor Author

@juris-greitans juris-greitans Nov 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. PostgreSQL documentation says that pg_monitor is a member of pg_read_all_stats, that's why I went with pg_monitor.
Also, I added a link to pre-defined role documentation.

you need to monitor older PostgreSQL servers, you will have to create functions
and views as a superuser, and assign permissions separately to those.

```sql
-- To use IF statements, hence to be able to check if the user exists before
Expand Down Expand Up @@ -239,9 +235,23 @@ ALTER USER postgres_exporter SET SEARCH_PATH TO postgres_exporter,pg_catalog;
-- If deploying as non-superuser (for example in AWS RDS), uncomment the GRANT
-- line below and replace <MASTER_USER> with your root user.
-- GRANT postgres_exporter TO <MASTER_USER>;

GRANT CONNECT ON DATABASE postgres TO postgres_exporter;
```

Run following command if you use PostgreSQL versions >= 10
```sql
GRANT pg_monitor to postgres_exporter;
```

Run following SQL commands only if you use PostgreSQL versions older than 10.
In PostgreSQL, views run with the permissions of the user that created them so
they can act as security barriers. Functions need to be created to share this
data with the non-superuser. Only creating the views will leave out the most
important bits of data.
```sql
CREATE SCHEMA IF NOT EXISTS postgres_exporter;
GRANT USAGE ON SCHEMA postgres_exporter TO postgres_exporter;
GRANT CONNECT ON DATABASE postgres TO postgres_exporter;

CREATE OR REPLACE FUNCTION get_pg_stat_activity() RETURNS SETOF pg_stat_activity AS
$$ SELECT * FROM pg_catalog.pg_stat_activity; $$
Expand Down