pgaudit 有効化

$ psql -U hayashier -h postgres-test.c5x5yhkaqvsm.us-west-2.rds.amazonaws.com -d test
Password for user hayashier: 
psql (9.6.8, server 9.6.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

test=> CREATE ROLE rds_pgaudit;
CREATE ROLE

パラメータグループで、pgaudit.roleの値をrds_pgaudit,shared_preload_librariesの値をpgauditに変更し再起動後、変更が適用される。

$ aws rds modify-db-parameter-group    --db-parameter-group-name psql9-6-parameter-groups    --parameters "ParameterName=pgaudit.role,ParameterValue=rds_pgaudit,ApplyMethod=pending-reboot"    --parameters "ParameterName=shared_preload_libraries,ParameterValue=pgaudit,ApplyMethod=pending-reboot"    --region us-west-2;
{
    "DBParameterGroupName": "psql9-6-parameter-groups"
}
$ aws rds reboot-db-instance --db-instance-identifier postgres-test --region us-west-2
{
    "DBInstance": {
        "PubliclyAccessible": false, 
        "MasterUsername": "hayashier", 
        "MonitoringInterval": 60, 
        "LicenseModel": "postgresql-license", 
:
:

shared_preload_librariesにpgaudit, pgaudit.roleにrds_pgauditが設定されていることを確認。

test=> SHOW shared_preload_libraries;
 shared_preload_libraries 
--------------------------
 rdsutils,pgaudit
(1 row)

test=> SHOW pgaudit.role;
 pgaudit.role 
--------------
 rds_pgaudit
(1 row)

監査ログが出力されることのテスト

test=> CREATE TABLE t1 (id int);
CREATE TABLE
test=> GRANT SELECT ON t1 TO rds_pgaudit;
GRANT
test=> SELECT * FROM t1;
 id 
----
(0 rows)

error/postgresql.log.20YY-MM-dd-hh に監査ログが出力されていることを確認。

2018-07-29 10:49:29 UTC:172.31.19.138(54768):hayashier@test:[22378]:LOG: AUDIT: OBJECT,1,1,READ,SELECT,TABLE,public.t1,SELECT * FROM t1;,<not logged>

pg_repack 導入

pg_repackの導入

test=> CREATE EXTENSION pg_repack;
CREATE EXTENSION
test=> ALTER DEFAULT PRIVILEGES IN SCHEMA repack GRANT INSERT ON TABLES TO PUBLIC;
ALTER DEFAULT PRIVILEGES
test=> ALTER DEFAULT PRIVILEGES IN SCHEMA repack GRANT USAGE, SELECT ON SEQUENCES TO PUBLIC;
ALTER DEFAULT PRIVILEGES

pg_repackのクライアントをインストール。RDS PostgreSQL 9.6.6を使用し、こちらはpg_repack 1.4.2に対応しているので、こちらのバージョンをインストール (参照: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.96x)

$ sudo yum install postgresql96-static -y
$ wget http://api.pgxn.org/dist/pg_repack/1.4.2/pg_repack-1.4.2.zip pg_repack-1.4.2.zip
$ unzip pg_repack-1.4.2.zip
$ cd pg_repack-1.4.2
$ make
$ sudo make install

pg_repackがインストールされたことの確認

$ ~/pg_repack-1.4.2/bin/pg_repack --version
pg_repack 1.4.2
test=> select * from pg_extension;
      extname       | extowner | extnamespace | extrelocatable | extversion | extconfig | extcondition 
--------------------+----------+--------------+----------------+------------+-----------+--------------
 plpgsql            |       10 |           11 | f              | 1.0        |           | 
 pg_stat_statements |       10 |         2200 | t              | 1.4        |           | 
 pgaudit            |       10 |         2200 | t              | 1.0        |           | 
 pg_repack          |       10 |         2200 | f              | 1.4.2      |           | 
(4 rows)

pg_repackを実行

$ ~/pg_repack-1.4.2/bin/pg_repack --no-superuser-check --table=testtbl --dbname=test --host=postgres-test.c5x5yhkaqvsm.us-west-2.rds.amazonaws.com --port=5432 --username=hayashier --password --elevel=DEBUG 
DEBUG: No workers to disconnect.
Password: 
Password: 
INFO: repacking table "testtbl"
DEBUG: ---- repack_one_table ----
DEBUG: target_name       : testtbl
:
:

PostGIS 導入

ユーザー作成と権限の付与

$ psql -U hayashier -h postgres-test.c5x5yhkaqvsm.us-west-2.rds.amazonaws.com -d test
Password for user hayashier: 
psql (9.6.8, server 9.6.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

test=> CREATE USER u1 WITH PASSWORD 'password';
CREATE ROLE
test=> ALTER ROLE u1 CREATEDB;
ALTER ROLE
test=> GRANT RDS_SUPERUSER TO u1;
GRANT ROLE
test=> CREATE DATABASE u1db1;
CREATE DATABASE
test=> \c u1db1
psql (9.6.8, server 9.6.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
You are now connected to database "u1db1" as user "hayashier".
u1db1=> \du
                                                   List of roles
    Role name    |                         Attributes                         |              Member of              
-----------------+------------------------------------------------------------+-------------------------------------
 hayashier        | Create role, Create DB                                    +| {rds_superuser}
                 | Password valid until infinity                              | 
 rds_replication | Cannot login                                               | {}
 rds_superuser   | Cannot login                                               | {rds_replication,pg_signal_backend}
 rdsadmin        | Superuser, Create role, Create DB, Replication, Bypass RLS+| {}
                 | Password valid until infinity                              | 
 rdsrepladmin    | No inheritance, Replication                               +| {}
                 | Password valid until infinity                              | 
 u1              | Create DB                                                  | {rds_superuser}

PostGISのインストール

u1db1=> CREATE EXTENSION postgis;
CREATE EXTENSION
u1db1=> CREATE EXTENSION fuzzystrmatch;
CREATE EXTENSION
u1db1=> CREATE EXTENSION postgis_tiger_geocoder;
CREATE EXTENSION
u1db1=> CREATE EXTENSION postgis_topology;
CREATE EXTENSION
u1db1=> ALTER SCHEMA tiger owner TO rds_superuser;
ALTER SCHEMA
u1db1=> ALTER SCHEMA tiger_data owner TO rds_superuser;
ALTER SCHEMA
u1db1=> ALTER SCHEMA topology owner TO rds_superuser;
ALTER SCHEMA
u1db1=> CREATE FUNCTION exec(text) returns text language plpgsql volatile AS $f$ BEGIN EXECUTE $1; RETURN $1; END; $f$;
CREATE FUNCTION
u1db1=> SELECT exec('ALTER TABLE ' || quote_ident(s.nspname) || '.' || quote_ident(s.relname) || ' OWNER TO rds_superuser;')
u1db1->   FROM (
u1db1(>     SELECT nspname, relname
u1db1(>     FROM pg_class c JOIN pg_namespace n ON (c.relnamespace = n.oid)
u1db1(>     WHERE nspname in ('tiger','topology') AND
u1db1(>     relkind IN ('r','S','v') ORDER BY relkind = 'S')
u1db1-> s;
                                exec                                
--------------------------------------------------------------------
 ALTER TABLE tiger.loader_variables OWNER TO rds_superuser;
 ALTER TABLE tiger.loader_lookuptables OWNER TO rds_superuser;
 ALTER TABLE tiger.street_type_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.tract OWNER TO rds_superuser;
 ALTER TABLE tiger.place_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.tabblock OWNER TO rds_superuser;
 ALTER TABLE tiger.county_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.bg OWNER TO rds_superuser;
 ALTER TABLE tiger.countysub_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_gaz OWNER TO rds_superuser;
 ALTER TABLE tiger.featnames OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_lex OWNER TO rds_superuser;
 ALTER TABLE tiger.zip_lookup_all OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_rules OWNER TO rds_superuser;
 ALTER TABLE tiger.zip_lookup_base OWNER TO rds_superuser;
 ALTER TABLE topology.topology OWNER TO rds_superuser;
 ALTER TABLE topology.layer OWNER TO rds_superuser;
 ALTER TABLE tiger.zip_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.addr OWNER TO rds_superuser;
 ALTER TABLE tiger.county OWNER TO rds_superuser;
 ALTER TABLE tiger.faces OWNER TO rds_superuser;
 ALTER TABLE tiger.state OWNER TO rds_superuser;
 ALTER TABLE tiger.geocode_settings OWNER TO rds_superuser;
 ALTER TABLE tiger.place OWNER TO rds_superuser;
 ALTER TABLE tiger.zip_state OWNER TO rds_superuser;
 ALTER TABLE tiger.zip_state_loc OWNER TO rds_superuser;
 ALTER TABLE tiger.geocode_settings_default OWNER TO rds_superuser;
 ALTER TABLE tiger.cousub OWNER TO rds_superuser;
 ALTER TABLE tiger.direction_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.edges OWNER TO rds_superuser;
 ALTER TABLE tiger.secondary_unit_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.addrfeat OWNER TO rds_superuser;
 ALTER TABLE tiger.state_lookup OWNER TO rds_superuser;
 ALTER TABLE tiger.zcta5 OWNER TO rds_superuser;
 ALTER TABLE tiger.loader_platform OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_lex_id_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.featnames_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.addr_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.zcta5_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.county_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.state_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.place_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.cousub_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.edges_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.addrfeat_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.faces_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.tract_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.tabblock_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.bg_gid_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_gaz_id_seq OWNER TO rds_superuser;
 ALTER TABLE tiger.pagc_rules_id_seq OWNER TO rds_superuser;
 ALTER TABLE topology.topology_id_seq OWNER TO rds_superuser;
(52 rows)

u1db1=> SET search_path=public,tiger;
SET
u1db1=> \dn
      List of schemas
    Name    |     Owner     
------------+---------------
 public     | hayashier
 tiger      | rds_superuser
 tiger_data | rds_superuser
 topology   | rds_superuser
(4 rows)

インストールされたことの確認

u1db1=> select postgis_version();
            postgis_version            
---------------------------------------
 2.3 USE_GEOS=1 USE_PROJ=1 USE_STATS=1
(1 row)

動作確認

u1db1=> SELECT na.address, na.streetname, na.streettypeabbrev, na.zip FROM normalize_address('1 Devonshire Place, Boston, MA 02109') AS na;
 address | streetname | streettypeabbrev |  zip  
---------+------------+------------------+-------
       1 | Devonshire | Pl               | 02109
(1 row)

u1db1=> SELECT topology.createtopology('my_new_topo',26986,0.5);
 createtopology 
----------------
              1
(1 row)

u1db1=> SELECT box2d(ST_GeomFromText('LINESTRING(1 2,3 4, 5 6)'));
    box2d     
--------------
 BOX(1 2,5 6)
(1 row)

pgBadger

ログをパースした結果が分かりやすくビジュアライズされる。

ツールをダウンロール。ツールは、pgbadgerというPerlのスクリプト。
バージョンはこちらで確認 https://github.com/dalibo/pgbadger/releases

$ wget https://github.com/dalibo/pgbadger/archive/v9.2.zip
$ unzip v9.2.zip 
$ cd pgbadger-9.2/
$ chmod +x pgbadger 

pgBadgerの実行。実行後、out.htmlという内容がBase64されたHTMLファイルが生成される。

$ ./pgbadger -p '%t:%r:%u@%d:[%p]:' postgresql.log.2018-07-29-10
[========================>] Parsed 7518 bytes of 7518 (100.00%), queries: 0, events: 8
LOG: Ok, generating html report...

pg_config の内容確認

test=> select * from pg_config();
       name        |                                                                                                                     setting                                                                    

-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------
 BINDIR            | /rdsdbbin/postgres-9.6.6.R1/bin
 DOCDIR            | /rdsdbbin/postgres-9.6.6.R1/share/doc
 HTMLDIR           | /rdsdbbin/postgres-9.6.6.R1/share/doc
 INCLUDEDIR        | /rdsdbbin/postgres-9.6.6.R1/include
 PKGINCLUDEDIR     | /rdsdbbin/postgres-9.6.6.R1/include
 INCLUDEDIR-SERVER | /rdsdbbin/postgres-9.6.6.R1/include/server
 LIBDIR            | /rdsdbbin/postgres-9.6.6.R1/lib
 PKGLIBDIR         | /rdsdbbin/postgres-9.6.6.R1/lib
 LOCALEDIR         | /rdsdbbin/postgres-9.6.6.R1/share/locale
 MANDIR            | /rdsdbbin/postgres-9.6.6.R1/share/man
 SHAREDIR          | /rdsdbbin/postgres-9.6.6.R1/share
 SYSCONFDIR        | /rdsdbbin/postgres-9.6.6.R1/etc
 PGXS              | /rdsdbbin/postgres-9.6.6.R1/lib/pgxs/src/makefiles/pgxs.mk
 CONFIGURE         | '--prefix=/rdsdbbin/postgres-9.6.6.R1' '--with-openssl' '--with-perl' '--with-tcl' '--with-ossp-uuid' '--with-libxml' '--with-libraries=/rdsdbbin/postgres-9.6.6.R1/lib' '--with-includes=/rdsd
bbin/postgres-9.6.6.R1/include' '--enable-debug'
 CC                | gcc
 CPPFLAGS          | -D_GNU_SOURCE -I/usr/include/libxml2 -I/rdsdbbin/postgres-9.6.6.R1/include
 CFLAGS            | -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -
g -O2
 CFLAGS_SL         | -fPIC
 LDFLAGS           | -L../../src/common -L/rdsdbbin/postgres-9.6.6.R1/lib -Wl,--as-needed -Wl,-rpath,'/rdsdbbin/postgres-9.6.6.R1/lib',--enable-new-dtags
 LDFLAGS_EX        | 
 LDFLAGS_SL        | 
 LIBS              | -lpgcommon -lpgport -lxml2 -lssl -lcrypto -lz -lreadline -lrt -lcrypt -ldl -lm  
 VERSION           | PostgreSQL 9.6.6
(23 rows)

REFERENCE

  • PostgreSQL の一般的な DBA タスク – Amazon Relational Database Service
    • URL: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です