Setting agent privileges v10
By default, the PEM agent is installed with root privileges for the operating system host and superuser privileges for the database server. These privileges allow the PEM agent to invoke unrestricted probes on the monitored host and database server about system usage, retrieving and returning the information to the PEM server.
Root user versus non-root user
PEM functionality lessens as the privileges of the PEM agent decrease. For complete functionality, run the PEM agent as root. The table below gives a high-level summary of the effects of limiting privileges. Further details are provided in the subsequent sections.
| Feature name | Works with root user | Works with non-root user | Works with remote PEM agent |
|---|---|---|---|
| Audit Manager | yes | The Audit Log Manager might not be able to apply requested modifications if the service can't be restarted. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server. | no |
| Capacity Manager | yes | yes | yes Note: There's no correlation between the database server and operating system metrics |
| Log Manager | yes | The Log Manager might not be able to apply requested modifications if the service can't restart. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server. | no |
| Manage Alerts | yes | yes | yes Note: When Run Alert Script on the database server is selected, it runs on the machine where the bound PEM agent is running and not on the actual database server machine. |
| Manage Charts | yes | yes | yes |
| Manage Dashboards | yes | Some dashboards might not be able to show complete data - see below for more details. | Some dashboards might not be able to show complete data. For example, the operating system information of the database server doesn't appear as not available. |
| Manage Probes | yes | Some PEM probes cannot run, and some return incomplete data - see below for more details. | Some of the PEM probes don't return information, and some of the functionality might be affected. |
| Scheduled Tasks | yes | Limited - see below for more details. | Scheduled tasks work only for the database server. Scripts run on a remote agent. |
| System Reports | yes | yes | yes |
| Core Usage Reports | yes | yes | The Core usage report doesn't show complete information. For example, the platform, number of cores, and total RAM aren't displayed. |
Functionality affected by limiting operating system privileges
If you run the PEM agent as a non-root user, the level of functionality will depend on what exactly permissions the agent user has. The following sections explain what operations are impacted by OS user permissions and what permissions are required for normal operation.
Probes
| Probe | Operating system | PEM functionality affected |
|---|---|---|
| Session Information | Linux/Windows | The probe will be missing the following ‘per-process’ columns if the agent user is not either root or the same user as Postgres: memory_usage_mb, swap_usage_mb, cpu_usage, io_read_bytes, io_write_bytes. |
| Patroni Node Status | Linux/Windows | Requires permission to execute patronictl. No data will be returned otherwise. |
| Patroni Cluster Status | Linux/Windows | Requires permission to execute patronictl. No data will be returned otherwise. |
| PG HBA Conf | Linux/Windows | Requires permission to read pg_hba.conf. No data will be returned otherwise. |
| Data and Log File Analysis | Linux/Windows | Requires permission to read PGDATA. No data will be returned otherwise. |
| WAL Archive Status | Linux/Windows | Requires read access to the WAL directory. No data will be returned otherwise. |
| Failover Manager Node Status | Linux/Windows | Requires permission to execute efm. No data will be returned otherwise. |
| Failover Manager Cluster Info | Linux/Windows | Requires permission to execute efm. No data will be returned otherwise. |
Restarting services
The Audit Log Manager and Server Log Manager require the PEM agent user to restart the Postgres service for changes to take effect. If the agent user does not have sufficient privileges to restart services (typically, this requires root access), these features will not be functional.
Batch/shell tasks
On Windows, the PEM Agent cannot run batch tasks unless the agent user has administrative privileges.
On Linux, the PEM Agent can only run shell tasks if the agent user can become the batch_script_user specified in agent.cfg.
This is always true for the root user and the batch_script_user.
Functionality affected by limiting database privileges
If the PEM agent connects to the monitored database using a non-superuser account, the available functionality will be limited based on the specific privileges granted to that user. The following sections describe which PEM operations are affected by Postgres user permissions and what privileges are required for standard monitoring functionality.
The PEM agent reads data from the pg_catalog schema for most SQL-based probes. In general, assigning the pg_monitor role to the agent user is sufficient. However, certain catalog functions and probes may require additional privileges beyond pg_monitor.
Additionally, the agent user must be able to connect to all target databases where probes need to run.
If the agent cannot connect to a database, no database-level probes will be executed on that instance. Only server-level metrics—such as those collected from pg_stat_database—will be available in such cases.
The following table lists probes that require permissions in addition to pg_monitor.
| Probe | Operating system | Additional permissions required |
|---|---|---|
| All PGD probes | Linux/Windows | Require SELECT permission on tables and views, and EXECUTE permission on functions, in the bdr schema of the replicated database. |
| Number of WAL Files | Linux/Windows | Requires EXECUTE on pg_ls_dir(). |
| Streaming Replication Lag Time | Linux/Windows | Requires the ability to execute pg_last_xlog_receive_location(), pg_last_xlog_replay_location(), and pg_last_xact_replay_timestamp(). This can be provided by granting the pg_wal_monitor role. |
| Streaming Replication | Linux/Windows | Requires the ability to execute pg_xlogfile_name_offset() and pg_xlog_location_diff(). This can be provided by granting the pg_wal_monitor role. |
| System Waits & Session Waits | Linux/Windows | Require SELECT permission on the system_waits and session_waits views respectively. |
| SQL Protect | Linux/Windows | Requires SELECT on sqlprotect.edb_sql_protect_stats. |
| User Information | Linux/Windows | Requires SELECT on pg_user. |
| xDB Replication | Linux/Windows | Requires SELECT on EDB Replicator views. |
Error handling
If the probe is querying the operating system without enough privileges, the probe might return a permission denied error. If the probe is querying the database without enough privileges, the probe might return a permission denied error or display the returned data in a PEM chart or graph as an empty value.
When a probe fails, an entry is written to the log file that contains the name of the probe, the reason the probe failed, and a hint that helps you resolve the problem.
You can view probe-related errors that occurred on the server in the Probe Log dashboard or review error messages in the PEM worker log files. On Linux, the default location of the log file is:
/var/log/pem/worker.log
On Windows, log information is available on the Event Viewer.