database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users.

Browse Source 
Check the proxy user just as the connection user against the
incl_users_list and excl_users_list.
This commit is contained in:
Alexey Botchkov
2020-12-28 15:12:32 +04:00
parent 5b9ee8d819
commit 78292047a4
3 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
mysql-test/suite/plugins/r/server_audit.result
View File

@ -227,6 +227,7 @@ set global server_audit_logging= on;
disconnect cn1; disconnect cn1;
drop user user1@localhost; drop user user1@localhost;
set global server_audit_events=''; set global server_audit_events='';
set global server_audit_incl_users='root, plug_dest';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest'; CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd'; CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK); connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
@ -277,7 +278,7 @@ server_audit_file_path
server_audit_file_rotate_now OFF server_audit_file_rotate_now OFF
server_audit_file_rotate_size 1000000 server_audit_file_rotate_size 1000000
server_audit_file_rotations 9 server_audit_file_rotations 9
server_audit_incl_users root server_audit_incl_users root, plug_dest
server_audit_logging ON server_audit_logging ON
server_audit_mode 1 server_audit_mode 1
server_audit_output_type file server_audit_output_type file
@ -419,6 +420,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_incl_users=\'root, plug_dest\'',0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
@ -442,6 +444,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0
TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0 TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0
TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0 TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0
TIME,HOSTNAME,plug,localhost,ID,ID,QUERY,test,'select USER(),CURRENT_USER()',0
TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0 TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,

1
mysql-test/suite/plugins/t/server_audit.test
View File

@ -173,6 +173,7 @@ source include/wait_until_count_sessions.inc;
drop user user1@localhost; drop user user1@localhost;
set global server_audit_events=''; set global server_audit_events='';
set global server_audit_incl_users='root, plug_dest';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest'; CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd'; CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';

22
plugin/server_audit/server_audit.c
View File

@ -1578,22 +1578,27 @@ no_password:
static int do_log_user(const char *name, int take_lock) static int do_log_user(const char *name, int len,
const char *proxy, int proxy_len, int take_lock)
{ {
size_t len;
int result; int result;
if (!name) if (!name)
return 0; return 0;
len= strlen(name);
if (take_lock) if (take_lock)
flogger_mutex_lock(&lock_operations); flogger_mutex_lock(&lock_operations);
if (incl_user_coll.n_users) if (incl_user_coll.n_users)
result= coll_search(&incl_user_coll, name, len) != 0; {
result= coll_search(&incl_user_coll, name, len) != 0 ||
(proxy && coll_search(&incl_user_coll, proxy, proxy_len) != 0);
}
else if (excl_user_coll.n_users) else if (excl_user_coll.n_users)
result= coll_search(&excl_user_coll, name, len) == 0; {
result= coll_search(&excl_user_coll, name, len) == 0 &&
(proxy && coll_search(&excl_user_coll, proxy, proxy_len) == 0);
}
else else
result= 1; result= 1;
@ -2134,7 +2139,9 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
} }
if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) && if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
cn && (cn->log_always || do_log_user(cn->user, 1))) cn && (cn->log_always || do_log_user(cn->user, cn->user_length,
cn->proxy, cn->proxy_length,
1)))
{ {
const struct mysql_event_general *event = const struct mysql_event_general *event =
(const struct mysql_event_general *) ev; (const struct mysql_event_general *) ev;
@ -2154,7 +2161,8 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
{ {
const struct mysql_event_table *event = const struct mysql_event_table *event =
(const struct mysql_event_table *) ev; (const struct mysql_event_table *) ev;
if (do_log_user(event->user, 1)) if (do_log_user(event->user, SAFE_STRLEN(event->user),
cn->proxy, cn->proxy_length, 1))
{ {
switch (event->event_subclass) switch (event->event_subclass)
{ {