diff options
| author | Christopher Baines <mail@cbaines.net> | 2016-03-01 08:44:38 +0000 |
|---|---|---|
| committer | Christopher Baines <mail@cbaines.net> | 2016-03-01 08:44:38 +0000 |
| commit | 84c7599f2a86baf4a1f9de1e8788ff2bb01bb1b6 (patch) | |
| tree | 601b0dcfe7335a8cbb780df4ab07ea049ceb45f3 | |
| parent | 5b70ef42ccf8217436d804d91b8337292a291ee3 (diff) | |
| download | prometheus-pgbouncer-exporter-84c7599f2a86baf4a1f9de1e8788ff2bb01bb1b6.tar prometheus-pgbouncer-exporter-84c7599f2a86baf4a1f9de1e8788ff2bb01bb1b6.tar.gz | |
Add note about authentication
| -rw-r--r-- | README | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -23,3 +23,17 @@ repository. Alternatively, you can download a binary package from here: I would recommend installing using setuptools, then running the promtheus-pgbouncer-exporter script. A systemd service file is provided which can be used if you have systemd. + +## Authentication + +The service connects to the pgbouncer admin console to gather metrics. The +service file runs the service as the postgres user (which is assumed to be the +user which pgbouncer is running as), such that it can access the admin console +(for which access is allowed if the login comes from via a Unix socket and the +client has the same user id as the pgbouncer service). + +This setup does mean that the exporter service (when running as the postgres +user) has far more capabilities than it requires. A more secure approach is to +run the service as a unprivileged user, which is listed in the stats_users +configuration parameter, as this means the process does not have to run as the +postgres user, and will be restricted to using the SHOW command. |