Skip to main content
Version: Axidian Privilege 3.0

Usage of PostgreSQL Proxy

In Axidian Privilege 3.0, a new component has appeared—PostgreSQL Proxy. Now all SQL sessions are initiated via this component. This feature allows administrators to read text logs, which contain all SQL queries executed by a user. This provides greater control over sessions and simplifies incident investigation.

DBMS Client Configuration

DBMS clients often have a specific behavior of their work: after connecting to the DB server, a separate session is opened to execute SQL queries. In this case, several sessions are also created in PAM, which can cause inconvenience when viewing text logs.

To run SQL queries in the same session as the connection to the DB server, you need to configure the DBMS client. Here is the information of how to perform such configuration using the DBeaver client as an example.

  1. Open DBeaver.
  2. On the left side of the screen, in the Database Navigator window, find the required server in the list of available connections, left-click on it and press F4 on the keyboard.
  3. In the window that opens, go to the Metadata tab, check the Datasource <servername> settings flag.
  4. For the Open separate connection for metadata read option, select the Never value from the drop-down list.
  5. Go to the SQL Editor tab.
  6. For the Open separate connection for each editor option, select the Never value from the drop-down list.
  7. Save changes by clicking OK.
  8. Repeat all the listed steps for all of your database servers.

Specifying the PostgreSQL Proxy Address in PAM

  1. Open Axidian Privilege Management Console.
  2. Go to ConfigurationSystem settings.
  3. In the PostgreSQL Proxy section, fill in the PostgreSQL Proxy Address field.

Opening a Session via PostgreSQL Proxy

This information is proposed in the user manual, in the section Connecting to a Resource via PostgreSQL Proxy.

Viewing Text Logs of SQL Sessions

To view text logs of a session opened via PostgreSQL Proxy:

  1. Open Axidian Privilege Management Console.
  2. Open the Active sessions section.
  3. Select the desired session.
  4. Click Text Log.
info

Please note that different SQL clients may save the text of SQL queries differently. For example, psql doesn't include comments of SQL queries, while pgAdmin includes them.

The text log displayed in the session profile is not updated automatically. To get an up-to-date text log, you need to periodically click Refresh.

Text logs does not save SQL query results.

The text log contains only outgoing SQL queries (client → server). Incoming SQL queries (server → client) are not included.

Limitations

  • Two-factor authentication is supported only for installations with RADIUS authentication, where the second factor is the confirmation of the request in the application. For installations with authentication via PAM, the Use two-factor authentication parameter will be ignored, i.e. the second factor will not be requested, the connection will open without it.
  • Administrator confirmation of session opening is not supported. Disable the Start of the session must be confirmed by Axidian Privilege administrator option in the PoliciesSessions section, otherwise it will be impossible to open a SQL session.
  • Specifying the reason for opening a session is partially supported. If the User must specify the connection reason setting is enabled in the session policy, users will be required to enter a reason in the same field as the account name. For more information, see Connecting to a Resource via PostgreSQL Proxy.