aboutsummaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README14
1 files changed, 14 insertions, 0 deletions
diff --git a/README b/README
index 719dd02..13a7e50 100644
--- a/README
+++ b/README
@@ -23,3 +23,17 @@ repository. Alternatively, you can download a binary package from here:
I would recommend installing using setuptools, then running the
promtheus-pgbouncer-exporter script. A systemd service file is provided which
can be used if you have systemd.
+
+## Authentication
+
+The service connects to the pgbouncer admin console to gather metrics. The
+service file runs the service as the postgres user (which is assumed to be the
+user which pgbouncer is running as), such that it can access the admin console
+(for which access is allowed if the login comes from via a Unix socket and the
+client has the same user id as the pgbouncer service).
+
+This setup does mean that the exporter service (when running as the postgres
+user) has far more capabilities than it requires. A more secure approach is to
+run the service as a unprivileged user, which is listed in the stats_users
+configuration parameter, as this means the process does not have to run as the
+postgres user, and will be restricted to using the SHOW command.