PostgreSQL DB account role and privilege

thy17 · October 10, 2022, 2:13am

Hi, to monitor PostgreSQL DB instance, does the PostgreSQL DB account used by PMM client to login to the DB really need to have “superuser” role? Can it have non-root DB privileges - if so, what are they?

Thanks in advance!

Vadim_Yalovets · October 10, 2022, 7:09am

Hi @thy17,

Percona recommends that a PostgreSQL user be configured for SUPERUSER level access, in order to gather the maximum amount of data.

thy17 · November 10, 2022, 6:32am

Hi @Vadim_Yalovets,
Thanks for the reply.

From security standpoint, if superuser role cannot be granted, is there a recommended set of postgresql tables / views that can provide the required query performance data?

Thank you.

thy17 · November 21, 2022, 2:24am

Hi @Vadim_Yalovets and all,

I found additional information regarding the possibility to grant non superuser role to the PMM Client’s PostgreSQL DB account, but would like to seek thoughts and advice on the legitimacy / validity of the info found.

PMM Client’s PostgreSQL DB accounts: In the case when a PostgreSQL DB is the target to be monitored, it is recommended in the PMM documentation for the PMM client (specifically, pmm-agent) to connect to the PostgreSQL DB using a DB account with “SUPERUSER” role, so that the maximum amount of metrics information can be obtained. This is aligned with what @Vadim_Yalovets has shared above.
However, referencing the github page for PMM PostgreSQL exporter (i.e. see section “Running as non-superuser” on GitHub - percona/postgres_exporter: A PostgresSQL metric exporter for Prometheus), there is another guidance that a DB account with non-SUPERUSER role (i.e. either pg_monitor, or pg_read_all_stats built-in PostgreSQL roles) can be created and granted to read metrics from the “pg_stat*” views.

Thus, may I know if the GitHub guidance can be followed to grant just the required built-in roles and privileges to the connecting PostgreSQL DB account, instead of “SUPERUSER”? Based on PostgreSQL doc, there are 4 predefined roles that can collect metrics: namely “pg_monitor”, “pg_read_all_stats”, “pg_read_all_settings”, “pg_stat_scan_tables” (ref: see attached screenshot extracted from PostgreSQL: Documentation: 15: 22.5. Predefined Roles):
Predefined PG Roles

Thus, is it feasible to grant the predefined roles, instead of SUPERUSER role, to the PostgreSQL DB account to collect DB metrics by PMM agent? This will follow the least-privilege security principle and reduce the threat of SUPERUSER credentials leakage if the PMM Server’s PostgreSQL DB is compromised, since these credentials are not encrypted at rest currently.

Does anyone have any thoughts on this? Thank you!

Topic		Replies	Views
Exact permissions need PMM user on Postgresql? PMM 2.x postgres , postgresql	1	460	February 6, 2024
Minimum grant that PMM requires for monitoring postgres with pg_stat_monitor pg_stat_monitor	2	336	February 22, 2024
[QAN] - Query Analytics configuration for PostgreSQL pg_stat_monitor community , pmm , percona	8	1526	December 5, 2022
Postgres and seeing other schemas/roles/databases PMM 2.x	4	958	December 3, 2020
Super privileges for pmm user PMM 1.x	1	2119	January 17, 2019

PostgreSQL DB account role and privilege

Related topics