pg_command_fw
PostgreSQL 的 DDL 与 utility 命令防火墙
仓库
rustwizard/pg_command_fw
https://github.com/rustwizard/pg_command_fw
源码
pg_command_fw-0.1.0.zip
pg_command_fw-0.1.0.zip
概览
| 扩展包名 | 版本 | 分类 | 许可证 | 语言 |
|---|---|---|---|---|
pg_command_fw | 0.1.0 | SEC | BSD-3-Clause | Rust |
| ID | 扩展名 | Bin | Lib | Load | Create | Trust | Reloc | 模式 |
|---|---|---|---|---|---|---|---|---|
| 7400 | pg_command_fw | 否 | 是 | 是 | 是 | 否 | 否 | - |
| 相关扩展 | pgaudit pgextwlist login_hook set_user |
|---|
Requires shared_preload_libraries = pg_command_fw to activate hooks for all sessions.
版本
| 类型 | 仓库 | 版本 | PG 大版本 | 包名 | 依赖 |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.1.0 | 1817161514 | pg_command_fw | - |
| RPM | PIGSTY | 0.1.0 | 1817161514 | pg_command_fw_$v | - |
| DEB | PIGSTY | 0.1.0 | 1817161514 | postgresql-$v-pg-command-fw | - |
| OS / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
| el8.x86_64 | PIGSTY 0.1.0 el8.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY MISS |
| el8.aarch64 | PIGSTY 0.1.0 el8.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY MISS |
| el9.x86_64 | PIGSTY 0.1.0 el9.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY MISS |
| el9.aarch64 | PIGSTY 0.1.0 el9.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY MISS |
| el10.x86_64 | PIGSTY 0.1.0 el10.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY MISS |
| el10.aarch64 | PIGSTY 0.1.0 el10.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY MISS |
| d12.x86_64 | PIGSTY 0.1.0 d12.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY MISS |
| d12.aarch64 | PIGSTY 0.1.0 d12.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY MISS |
| d13.x86_64 | PIGSTY 0.1.0 d13.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY MISS |
| d13.aarch64 | PIGSTY 0.1.0 d13.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY MISS |
| u22.x86_64 | PIGSTY 0.1.0 u22.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY MISS |
| u22.aarch64 | PIGSTY 0.1.0 u22.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY MISS |
| u24.x86_64 | PIGSTY 0.1.0 u24.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY MISS |
| u24.aarch64 | PIGSTY 0.1.0 u24.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY MISS |
构建
您可以使用 pig build 命令构建 pg_command_fw 扩展的 RPM / DEB 包:
pig build pkg pg_command_fw # 构建 RPM / DEB 包
安装
您可以直接安装 pg_command_fw 扩展包的预置二进制包,首先确保 PGDG 和 PIGSTY 仓库已经添加并启用:
pig repo add pgsql -u # 添加仓库并更新缓存
使用 pig 或者是 apt/yum/dnf 安装扩展:
pig install pg_command_fw; # 当前活跃 PG 版本安装
pig ext install -y pg_command_fw -v 18 # PG 18
pig ext install -y pg_command_fw -v 17 # PG 17
pig ext install -y pg_command_fw -v 16 # PG 16
pig ext install -y pg_command_fw -v 15 # PG 15
dnf install -y pg_command_fw_18 # PG 18
dnf install -y pg_command_fw_17 # PG 17
dnf install -y pg_command_fw_16 # PG 16
dnf install -y pg_command_fw_15 # PG 15
apt install -y postgresql-18-pg-command-fw # PG 18
apt install -y postgresql-17-pg-command-fw # PG 17
apt install -y postgresql-16-pg-command-fw # PG 16
apt install -y postgresql-15-pg-command-fw # PG 15
预加载配置:
shared_preload_libraries = 'pg_command_fw';
创建扩展:
CREATE EXTENSION pg_command_fw;
用法
语法:
CREATE EXTENSION pg_command_fw; ALTER SYSTEM SET pg_command_fw.block_truncate = on; ALTER SYSTEM SET pg_command_fw.production_schemas = 'public,payments'; SELECT pg_reload_conf();来源:README
pg_command_fw 是 PostgreSQL 命令防火墙。它通过 ProcessUtility 钩子拦截 DDL 和 utility 命令,并通过 post-parse analyze 钩子拦截部分危险的内置文件读取函数。每个命令类别都由独立的 GUC 控制。
安装
扩展必须预加载:
shared_preload_libraries = 'pg_command_fw'
然后在数据库中启用:
CREATE EXTENSION pg_command_fw;
命令类别
上游 README 记录了以下防火墙类别:
TRUNCATEDROP TABLEALTER SYSTEMLOADCOPY ... PROGRAM- 普通
COPY pg_read_file()、pg_read_binary_file()和pg_stat_file()
其中部分类别仅阻止非超级用户,另一些则连超级用户也会阻止。只有当超级用户未被列入 pg_command_fw.blocked_roles 时,才会免于非超级用户类检查。
重要 GUC
pg_command_fw.enabled用于整体启用或禁用所有检查pg_command_fw.block_truncatepg_command_fw.block_drop_tablepg_command_fw.production_schemaspg_command_fw.block_alter_systempg_command_fw.block_loadpg_command_fw.block_copy_programpg_command_fw.block_copypg_command_fw.block_read_filepg_command_fw.blocked_rolespg_command_fw.hintpg_command_fw.audit_log_enabled
审计日志
扩展会将拦截到的命令写入 command_fw.audit_log。README 中描述的字段包括:
- 时间戳
- 会话用户和当前用户
- 原始查询文本
- 命令类型
- 目标模式或对象
- 客户端地址
- 是否被阻止
- 内部阻止原因
示例
在生产模式下阻止 TRUNCATE 和 DROP TABLE:
ALTER SYSTEM SET pg_command_fw.block_truncate = on;
ALTER SYSTEM SET pg_command_fw.block_drop_table = on;
ALTER SYSTEM SET pg_command_fw.production_schemas = 'public,payments';
ALTER SYSTEM SET pg_command_fw.hint = 'Contact your DBA to request access';
SELECT pg_reload_conf();
阻止特定角色执行任何受防火墙管控的命令:
ALTER SYSTEM SET pg_command_fw.blocked_roles = 'app_deploy';
SELECT pg_reload_conf();