pg_command_fw
PostgreSQL 的 DDL 与 utility 命令防火墙
仓库
rustwizard/pg_command_fw
https://github.com/rustwizard/pg_command_fw
源码
pg_command_fw-0.1.0.tar.gz
pg_command_fw-0.1.0.tar.gz
概览
| 扩展包名 | 版本 | 分类 | 许可证 | 语言 |
|---|---|---|---|---|
pg_command_fw | 0.1.0 | SEC | BSD 3-Clause | Rust |
| ID | 扩展名 | Bin | Lib | Load | Create | Trust | Reloc | 模式 |
|---|---|---|---|---|---|---|---|---|
| 7400 | pg_command_fw | 否 | 是 | 是 | 是 | 否 | 否 | - |
| 相关扩展 | pgaudit pgextwlist login_hook set_user |
|---|
Requires shared_preload_libraries = pg_command_fw to activate hooks for all sessions.
版本
| 类型 | 仓库 | 版本 | PG 大版本 | 包名 | 依赖 |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.1.0 | 1817161514 | pg_command_fw | - |
| RPM | PIGSTY | 0.1.0 | 1817161514 | pg_command_fw_$v | - |
| DEB | PIGSTY | 0.1.0 | 1817161514 | postgresql-$v-pg-command-fw | - |
| OS / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
| el8.x86_64 | PIGSTY 0.1.0 el8.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY 0.1.0 el8.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el8.x86_64.rpm
| PIGSTY MISS |
| el8.aarch64 | PIGSTY 0.1.0 el8.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY 0.1.0 el8.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el8.aarch64.rpm
| PIGSTY MISS |
| el9.x86_64 | PIGSTY 0.1.0 el9.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY 0.1.0 el9.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el9.x86_64.rpm
| PIGSTY MISS |
| el9.aarch64 | PIGSTY 0.1.0 el9.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY 0.1.0 el9.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el9.aarch64.rpm
| PIGSTY MISS |
| el10.x86_64 | PIGSTY 0.1.0 el10.x86_64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY 0.1.0 el10.x86_64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el10.x86_64.rpm
| PIGSTY MISS |
| el10.aarch64 | PIGSTY 0.1.0 el10.aarch64.pg18 : pg_command_fw_18 pg_command_fw_18-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg17 : pg_command_fw_17 pg_command_fw_17-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg16 : pg_command_fw_16 pg_command_fw_16-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY 0.1.0 el10.aarch64.pg15 : pg_command_fw_15 pg_command_fw_15-0.1.0-1PIGSTY.el10.aarch64.rpm
| PIGSTY MISS |
| d12.x86_64 | PIGSTY 0.1.0 d12.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY 0.1.0 d12.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~bookworm_amd64.deb
| PIGSTY MISS |
| d12.aarch64 | PIGSTY 0.1.0 d12.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY 0.1.0 d12.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~bookworm_arm64.deb
| PIGSTY MISS |
| d13.x86_64 | PIGSTY 0.1.0 d13.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY 0.1.0 d13.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~trixie_amd64.deb
| PIGSTY MISS |
| d13.aarch64 | PIGSTY 0.1.0 d13.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY 0.1.0 d13.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~trixie_arm64.deb
| PIGSTY MISS |
| u22.x86_64 | PIGSTY 0.1.0 u22.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY 0.1.0 u22.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~jammy_amd64.deb
| PIGSTY MISS |
| u22.aarch64 | PIGSTY 0.1.0 u22.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY 0.1.0 u22.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~jammy_arm64.deb
| PIGSTY MISS |
| u24.x86_64 | PIGSTY 0.1.0 u24.x86_64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY 0.1.0 u24.x86_64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~noble_amd64.deb
| PIGSTY MISS |
| u24.aarch64 | PIGSTY 0.1.0 u24.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY 0.1.0 u24.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-1PIGSTY~noble_arm64.deb
| PIGSTY MISS |
| u26.x86_64 | PIGSTY MISS | PIGSTY MISS | PIGSTY MISS | PIGSTY MISS | PIGSTY MISS |
| u26.aarch64 | PIGSTY 0.1.0 u26.aarch64.pg18 : postgresql-18-pg-command-fw postgresql-18-pg-command-fw_0.1.0-2PIGSTY~resolute_arm64.deb
| PIGSTY 0.1.0 u26.aarch64.pg17 : postgresql-17-pg-command-fw postgresql-17-pg-command-fw_0.1.0-2PIGSTY~resolute_arm64.deb
| PIGSTY 0.1.0 u26.aarch64.pg16 : postgresql-16-pg-command-fw postgresql-16-pg-command-fw_0.1.0-2PIGSTY~resolute_arm64.deb
| PIGSTY 0.1.0 u26.aarch64.pg15 : postgresql-15-pg-command-fw postgresql-15-pg-command-fw_0.1.0-2PIGSTY~resolute_arm64.deb
| PIGSTY MISS |
构建
您可以使用 pig build 命令构建 pg_command_fw 扩展的 RPM / DEB 包:
pig build pkg pg_command_fw # 构建 RPM / DEB 包
安装
您可以直接安装 pg_command_fw 扩展包的预置二进制包,首先确保 PGDG 和 PIGSTY 仓库已经添加并启用:
pig repo add pgsql -u # 添加仓库并更新缓存
使用 pig 或者是 apt/yum/dnf 安装扩展:
pig install pg_command_fw; # 当前活跃 PG 版本安装
pig ext install -y pg_command_fw -v 18 # PG 18
pig ext install -y pg_command_fw -v 17 # PG 17
pig ext install -y pg_command_fw -v 16 # PG 16
pig ext install -y pg_command_fw -v 15 # PG 15
dnf install -y pg_command_fw_18 # PG 18
dnf install -y pg_command_fw_17 # PG 17
dnf install -y pg_command_fw_16 # PG 16
dnf install -y pg_command_fw_15 # PG 15
apt install -y postgresql-18-pg-command-fw # PG 18
apt install -y postgresql-17-pg-command-fw # PG 17
apt install -y postgresql-16-pg-command-fw # PG 16
apt install -y postgresql-15-pg-command-fw # PG 15
预加载配置:
shared_preload_libraries = 'pg_command_fw';
创建扩展:
CREATE EXTENSION pg_command_fw;
用法
- 来源:README
pg_command_fw 是 PostgreSQL command firewall。它通过 ProcessUtility hook 拦截 DDL 和 utility commands,并通过 post-parse analyze hook 阻断部分内置文件读取函数。每个命令类别都有自己的 GUC 控制。
启用扩展
该扩展必须 preload:
shared_preload_libraries = 'pg_command_fw'
然后在数据库中启用:
CREATE EXTENSION pg_command_fw;
Pigsty 包元数据记录版本 0.1.0,覆盖 PostgreSQL 15-18,并说明需要 preload 才能在所有会话中激活 hooks。上游 README 也记录 PostgreSQL 15-18 支持。
命令类别
上游 README 记录了这些 firewall 类别:
TRUNCATE:pg_command_fw.block_truncate,默认on,阻断非超级用户。DROP TABLE:pg_command_fw.block_drop_table,默认off,启用后阻断非超级用户。ALTER SYSTEM:pg_command_fw.block_alter_system,默认on,阻断所有人。LOAD:pg_command_fw.block_load,默认on,阻断所有人。COPY ... PROGRAM:pg_command_fw.block_copy_program,默认on,阻断所有人。- 普通
COPY:pg_command_fw.block_copy,默认off,启用后阻断非超级用户。 pg_read_file()、pg_read_binary_file()和pg_stat_file():pg_command_fw.block_read_file,默认on,阻断所有人。
部分类别只阻断非超级用户,另一些类别阻断包括超级用户在内的所有人。除非显式列入 pg_command_fw.blocked_roles,超级用户只会豁免非超级用户类别。
重要 GUC
pg_command_fw.enabled:启用或禁用所有检查pg_command_fw.block_truncatepg_command_fw.block_drop_tablepg_command_fw.production_schemaspg_command_fw.block_alter_systempg_command_fw.block_loadpg_command_fw.block_copy_programpg_command_fw.block_copypg_command_fw.block_read_filepg_command_fw.blocked_rolespg_command_fw.hintpg_command_fw.audit_log_enabled
设置 production_schemas 时,DROP TABLE 检查仅限这些 schema 中显式带 schema 的表名;README 说明未限定名称不会通过 search_path 解析。
审计日志
扩展会在 command_fw.audit_log 中记录被拦截的命令。README 记录的列包括:
- timestamp
- session 和 current user 名称
- 原始 query text
- command type
- target schema 或 object
- client address
- 命令是否被阻断
- 内部阻断原因
被阻断的审计插入是 best-effort,因为该行会随被阻断事务回滚;请使用 PostgreSQL server log 作为被阻断事件的权威记录。
示例
在生产 schema 中阻断 TRUNCATE 和 DROP TABLE:
ALTER SYSTEM SET pg_command_fw.block_truncate = on;
ALTER SYSTEM SET pg_command_fw.block_drop_table = on;
ALTER SYSTEM SET pg_command_fw.production_schemas = 'public,payments';
ALTER SYSTEM SET pg_command_fw.hint = 'Contact your DBA to request access';
SELECT pg_reload_conf();
阻断某个角色执行任何受管命令:
ALTER SYSTEM SET pg_command_fw.blocked_roles = 'app_deploy';
SELECT pg_reload_conf();
在维护会话中临时禁用 firewall:
SET pg_command_fw.enabled = off;
TRUNCATE big_table;
SET pg_command_fw.enabled = on;