Security considerations v4

Suggest edits

When running queries in the database, Lasso tries to use a role that has enough privileges to gather the required information from the tool from which metrics are being gathered.

The following are the tools and the roles that Lasso tries to use for each of them. Lasso tries to use the first available role in each tool role list. Initial connection role means the role that was provided through Lasso CLI when running the toolusually postgres or enterprisedb.

  • PostgreSQL:
    • pg_monitor
    • Initial connection role
  • PgLogical:
    • pglogical_superuser
    • Initial connection role
  • PGD:
    • bdr_monitor
    • Initial connection role
  • PEM:
    • pem_user
    • Initial connection role
  • Repmgr:
    • Initial connection role
  • xDB:
    • Initial connection role

Most of the PGD gatherings try using the bdr_monitor role. However, the one in charge of gathering conflicts tries to use the role bdr_read_all_conflicts for that purpose. That's the only exception.

In any of the cases, it uses a read-only transaction while querying metrics and configurations from the database.