On Sat, May 21, 2022 at 12:28:58PM +0900, Michael Paquier wrote:
> Indeed, it is a good idea to add this information. Will apply and
> backpatch accordingly.
Sorry, I should've noticed this yesterday. This should probably follow
6198420's example and say "roles with privileges of the pg_read_all_stats
role" instead of "members of the pg_read_all_stats role." Also, I think we
should mention that this information is visible to roles with privileges of
the session user being reported on, too. Patch attached.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index fe64239ed9..a91145ccf3 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -7917,11 +7917,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;
executing command of each session, along with its identifier and the
time when that command began execution. This parameter is on by
default. Note that even when enabled, this information is only
- visible to superusers, members of the
- <literal>pg_read_all_stats</literal> role and the user owning the
- session being reported on, so it should not represent a security risk.
- Only superusers and users with the appropriate <literal>SET</literal>
- privilege can change this setting.
+ visible to superusers, roles with privileges of the
+ <literal>pg_read_all_stats</literal> role, and roles with privileges of
+ the user owning the session being reported on, so it should not
+ represent a security risk. Only superusers and users with the
+ appropriate <literal>SET</literal> privilege can change this setting.
</para>
</listitem>
</varlistentry>
