diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result index 89f1c69a746..7c287b369b1 100644 --- a/mysql-test/suite/plugins/r/server_audit.result +++ b/mysql-test/suite/plugins/r/server_audit.result @@ -227,6 +227,21 @@ set global server_audit_logging= on; disconnect cn1; drop user user1@localhost; set global server_audit_events=''; +CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest'; +CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd'; +connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK); +connect plug_con,localhost,plug,plug_dest; +ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES) +GRANT PROXY ON plug_dest TO plug; +connect plug_con,localhost,plug,plug_dest; +connection plug_con; +select USER(),CURRENT_USER(); +USER() CURRENT_USER() +plug@localhost plug_dest@% +connection default; +disconnect plug_con; +DROP USER plug; +DROP USER plug_dest; set global server_audit_query_log_limit= 15; select (1), (2), (3), (4); 1 2 3 4 @@ -404,6 +419,46 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug IDENTIFIED WITH \'test_plugin_server\' AS \'plug_dest\'',0 +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug_dest IDENTIFIED BY *****',0 +TIME,HOSTNAME,plug,localhost,ID,0,FAILED_CONNECT,,,ID +TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,,,0 +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0 +TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0 +TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0 +TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0 +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug',0 +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, +TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug_dest',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select \'A\', ',0 diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test index 7f1653ee444..397dd554962 100644 --- a/mysql-test/suite/plugins/t/server_audit.test +++ b/mysql-test/suite/plugins/t/server_audit.test @@ -1,4 +1,4 @@ - +--source include/have_plugin_auth.inc --source include/not_embedded.inc if (!$SERVER_AUDIT_SO) { @@ -174,6 +174,25 @@ drop user user1@localhost; set global server_audit_events=''; +CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest'; +CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd'; +--sleep 2 +--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK +--error ER_ACCESS_DENIED_ERROR : this should fail : no grant +connect(plug_con,localhost,plug,plug_dest); +--sleep 2 +GRANT PROXY ON plug_dest TO plug; +--sleep 2 +connect(plug_con,localhost,plug,plug_dest); +connection plug_con; +select USER(),CURRENT_USER(); +connection default; +disconnect plug_con; +--sleep 2 +--sleep 2 +DROP USER plug; +DROP USER plug_dest; + set global server_audit_query_log_limit= 15; select (1), (2), (3), (4); select 'A', 'B', 'C', 'D'; diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c index 4e45b36ec3e..6badbbfedf7 100644 --- a/plugin/server_audit/server_audit.c +++ b/plugin/server_audit/server_audit.c @@ -15,7 +15,7 @@ #define PLUGIN_VERSION 0x104 -#define PLUGIN_STR_VERSION "1.4.8" +#define PLUGIN_STR_VERSION "1.4.10" #define _my_thread_var loc_thread_var @@ -326,6 +326,10 @@ struct connection_info char query_buffer[1024]; time_t query_time; int log_always; + char proxy[64]; + int proxy_length; + char proxy_host[64]; + int proxy_host_length; }; #define DEFAULT_FILENAME_LEN 16 @@ -1130,9 +1134,13 @@ static void setup_connection_simple(struct connection_info *ci) ci->ip_length= 0; ci->query_length= 0; ci->header= 0; + ci->proxy_length= 0; } +#define MAX_HOSTNAME 61 +#define USERNAME_LENGTH 384 + static void setup_connection_connect(struct connection_info *cn, const struct mysql_event_connection *event) { @@ -1149,6 +1157,29 @@ static void setup_connection_connect(struct connection_info *cn, get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip), event->ip, event->ip_length); cn->header= 0; + if (event->proxy_user && event->proxy_user[0]) + { + const char *priv_host= event->proxy_user + + sizeof(char[MAX_HOSTNAME+USERNAME_LENGTH+5]); + size_t priv_host_length; + + if (mysql_57_started) + { + priv_host+= sizeof(size_t); + priv_host_length= *(size_t *) (priv_host + MAX_HOSTNAME); + } + else + priv_host_length= strlen(priv_host); + + + get_str_n(cn->proxy, &cn->proxy_length, sizeof(cn->proxy), + event->priv_user, event->priv_user_length); + get_str_n(cn->proxy_host, &cn->proxy_host_length, + sizeof(cn->proxy_host), + priv_host, priv_host_length); + } + else + cn->proxy_length= 0; } @@ -1348,6 +1379,31 @@ static size_t log_header(char *message, size_t message_len, } +static int log_proxy(const struct connection_info *cn, + const struct mysql_event_connection *event) + +{ + time_t ctime; + size_t csize; + char message[1024]; + + (void) time(&ctime); + csize= log_header(message, sizeof(message)-1, &ctime, + servhost, servhost_len, + cn->user, cn->user_length, + cn->host, cn->host_length, + cn->ip, cn->ip_length, + event->thread_id, 0, "PROXY_CONNECT"); + csize+= my_snprintf(message+csize, sizeof(message) - 1 - csize, + ",%.*s,`%.*s`@`%.*s`,%d", cn->db_length, cn->db, + cn->proxy_length, cn->proxy, + cn->proxy_host_length, cn->proxy_host, + event->status); + message[csize]= '\n'; + return write_log(message, csize + 1, 1); +} + + static int log_connection(const struct connection_info *cn, const struct mysql_event_connection *event, const char *type) @@ -2009,9 +2065,13 @@ static void update_connection_info(struct connection_info *cn, { case MYSQL_AUDIT_CONNECTION_CONNECT: setup_connection_connect(cn, event); + if (event->status == 0 && event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; case MYSQL_AUDIT_CONNECTION_CHANGE_USER: *after_action= AA_CHANGE_USER; + if (event->proxy_user && event->proxy_user[0]) + log_proxy(cn, event); break; default:; }