Metadata that includes database names, user names and originating application names for database connections is visible to all users sharing a multi-tenant Heroku Postgres Essential cluster. Other information, such as client IP address and query text, is not available to other users.
PostgreSQL statistics views can be used to see and understand the current state of the system. Examples of these database statistics views are pg_stat_activity, pg_stat_statements or pg_stat_ssl, for dynamic statistics, and others such as pg_stat_database for cumulative statistics.
Some of these statistics views reflect information gathered at the cluster level, which can include references to other databases running in the cluster and processes associated with them. This visibility on other running processes or databases is a consequence of the multi-tenant model of Essential-tier databases on Heroku Postgres, where many databases reside on the same Postgres cluster.
The information included in the PostgreSQL statistics views is security restricted:
Users are able to see all the information about their own sessions/processes in their particular database.
Users in a cluster can also see the existence of other sessions running on the server, as well as their corresponding username, database name and the connected application name (application_name in pg_stat_activity). These values are available to all users in the cluster (see PostgreSQL 16 reference).
Beyond these values, PostgreSQL restricts access to the rest of the fields about other sessions' metadata based on PostgreSQL's HAS_PGSTAT_PERMISSIONS checks. Only users that have specific privileges to see statistics details or are the owners of those processes or database can see their full statistics/metadata. Otherwise, if the user querying the data doesn't have privilege to read that information, PostgreSQL presents those fields as null values. Query texts for processes that are not associated with the current user are specifically displayed as "insufficient privilege".
Being able to list the database names and users is not in-itself a security flaw, but a consequence of databases co-existing in a PostgreSQL cluster. From this shared process metadata visible to other users, database and user names are always randomly autogenerated by Heroku Postgres, which makes those non-predictable and not associable to particular users.
The application_name column in pg_stat_activity includes the name of the application that is connected to a particular process, as configured by the application or framework itself. While this information is usually generic and referring to the caller process (sidekiq, pgAdmin, PostgreSQL JDBC Driver, as examples), customers are advised to ensure that their applications or systems don't include sensitive information in application_name that would be visible to other users in the cluster.
For database monitoring purposes, users can filter their queries to PostgreSQL statistics view to only retrieve the results specific to their own databases or users. For example:
-
For querying
pg_stat_statementsfor processes specific to the user database:SELECT * FROM pg_stat_statements WHERE dbid = (SELECT oid FROM pg_database WHERE datname = current_database()); -
For querying
pg_stat_activityfor processes specific to the user database:SELECT * FROM pg_stat_activity WHERE datname = (SELECT datname FROM pg_database WHERE datname = current_database());
Databases running on single-tenant plans of Heroku Postgres (standard-*, premium-*, private-* and shield-* plans) run on independent clusters.