Setting agent privileges v9
By default, the PEM agent is installed with root privileges for the operating system host and superuser privileges for the database server. These privileges allow the PEM agent to invoke unrestricted probes on the monitored host and database server about system usage, retrieving and returning the information to the PEM server.
Root user versus non-root user
PEM functionality lessens as the privileges of the PEM agent decrease. For complete functionality, run the PEM agent as root. If the PEM agent runs under the database server's service account, PEM probes don't have complete access to the statistical information used to generate reports, and functionality is limited to the capabilities of that account. If the PEM agent runs under another lesser-privileged account, functionality is limited even further.
Feature name | Works with root user | Works with non-root user | Works with remote PEM agent |
---|---|---|---|
Audit Manager | yes | The Audit Log Manager might not be able to apply requested modifications if the service can't be restarted. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server. | no |
Capacity Manager | yes | yes | yes Note: There's no correlation between the database server and operating system metrics |
Log Manager | yes | The Log Manager might not be able to apply requested modifications if the service can't restart. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server. | no |
Manage Alerts | yes | yes | yes Note: When Run Alert Script on the database server is selected, it runs on the machine where the bound PEM agent is running and not on the actual database server machine. |
Manage Charts | yes | yes | yes |
Manage Dashboards | yes | Some dashboards might not be able to show complete data. For example, columns such as swap usage, CPU usage, IO read, and IO write appear as 0 in the session activity dashboard. | Some dashboards might not be able to show complete data. For example, the operating system information of the database server doesn't appear as not available. |
Manage Probes | yes | Some of the PEM probes don't return information, and some of functionality might be affected. | Some of the PEM probes don't return information, and some of the functionality might be affected. |
Postgres Expert | yes | The Postgres Expert can access the configuration expert and schema expert but not the security expert. | The Expert provides partial information, as operating system information isn't available. |
Postgres Log Analysis Expert | yes | The Postgres Log Analysis Expert might not be able to do the analysis, as it depends on the logs imported by Log Manager, which doesn't work as required. | The Postgres Log Analysis Expert can't do the analysis, as it depends on the logs imported by Log Manager, which doesn't work as required. |
Scheduled Tasks | yes | For Linux, if the user is the same as batch_script_user in agent.cfg , then the shell script runs. | Scheduled tasks work only for the database server. Scripts run on a remote agent. |
Tuning Wizard | yes | The Tuning Wizard can't run if the service can't restart. The user running the PEM agent might be different from the user who owns the data directory of the database server. Thus the user running the PEM agent might not be able to change the configuration and also might not be able to restart the services of the database server. | no |
System Reports | yes | yes | yes |
Core Usage Reports | yes | yes | The Core usage report doesn't show complete information. For example, the platform, number of cores, and total RAM aren't displayed. |
Managing BART | yes | BART and the BART scanner might not be able to start or reload. | no Note: BART requires passwordless authentication between two machines where database server and BART are installed. |
Functionality affected by limiting operating system privileges
If you limit the operating system privileges of the PEM agent, some of the PEM probes don't return information, and the following functionality might be affected.
Note
The list isn't comprehensive but provides an overview of the type of functionality that's limited.
Probe or action | Operating system | PEM functionality affected |
---|---|---|
Data And Logfile Analysis | Linux/ Windows | The Postgres Expert can't access complete information. |
Session Information | Linux | The per-process statistics are incomplete. |
PG HBA | Linux/ Windows | The Postgres Expert can't access complete information. |
Service restart functionality | Linux/ Windows | The Audit Log Manager, Server Log Manager Log Analysis Expert, and PEM might not be able to apply requested modifications. |
Package Deployment | Linux/ Windows | PEM can't run downloaded installation modules. |
Batch Task | Windows | PEM can't run scheduled batch jobs in Windows. |
Collect data from server (root access required) | Linux/ Windows | Columns such as swap usage, CPU usage, IO read, IO write appear as 0 in the session activity dashboard. |
Functionality affected by limiting database privileges
If you restrict the database privileges of the PEM agent, the following PEM functionality might be affected:
Probe | Operating system | PEM functionality affected |
---|---|---|
Audit Log Collection | Linux/Windows | PEM receives empty data from the PEM database. |
Server Log Collection | Linux/Windows | PEM can't collect server log information. |
Database Statistics | Linux/Windows | The Database/Server Analysis dashboards contain incomplete information. |
Session Waits/System Waits | Linux/Windows | The Session/System Waits dashboards contain incomplete information. |
Locks Information | Linux/Windows | The Database/Server Analysis dashboards contain incomplete information. |
Streaming Replication | Linux/Windows | The Streaming Replication dashboard doesn't display information. |
Slony Replication | Linux/Windows | Slony-related charts on the Database Analysis dashboard don't display information. |
Tablespace Size | Linux/Windows | The Server Analysis dashboard doesn't display complete information. |
xDB Replication | Linux/Windows | PEM can't send xDB alerts and traps. |
Error handling
If the probe is querying the operating system without enough privileges, the probe might return a permission denied
error. If the probe is querying the database without enough privileges, the probe might return a permission denied
error or display the returned data in a PEM chart or graph as an empty value.
When a probe fails, an entry is written to the log file that contains the name of the probe, the reason the probe failed, and a hint that helps you resolve the problem.
You can view probe-related errors that occurred on the server in the Probe Log dashboard or review error messages in the PEM worker log files. On Linux, the default location of the log file is:
/var/log/pem/worker.log
On Windows, log information is available on the Event Viewer.