summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexey Botchkov <holyfoot@askmonty.org>2020-12-28 15:12:32 +0400
committerAlexey Botchkov <holyfoot@askmonty.org>2020-12-28 15:12:32 +0400
commit78292047a4747ccd9210ba36a185a1dbe825de89 (patch)
treed7e0f195048bc877f2175e4808bd7ce3e8d15011
parent5b9ee8d8193a8c7a8ebdd35eedcadc3ae78e7fc1 (diff)
downloadmariadb-git-78292047a4747ccd9210ba36a185a1dbe825de89.tar.gz
MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users.
Check the proxy user just as the connection user against the incl_users_list and excl_users_list.
-rw-r--r--mysql-test/suite/plugins/r/server_audit.result5
-rw-r--r--mysql-test/suite/plugins/t/server_audit.test1
-rw-r--r--plugin/server_audit/server_audit.c22
3 files changed, 20 insertions, 8 deletions
diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result
index f309b6c95a3..3fce3346f29 100644
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -227,6 +227,7 @@ set global server_audit_logging= on;
disconnect cn1;
drop user user1@localhost;
set global server_audit_events='';
+set global server_audit_incl_users='root, plug_dest';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
@@ -277,7 +278,7 @@ server_audit_file_path
server_audit_file_rotate_now OFF
server_audit_file_rotate_size 1000000
server_audit_file_rotations 9
-server_audit_incl_users root
+server_audit_incl_users root, plug_dest
server_audit_logging ON
server_audit_mode 1
server_audit_output_type file
@@ -419,6 +420,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_incl_users=\'root, plug_dest\'',0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
@@ -442,6 +444,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0
TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0
TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0
+TIME,HOSTNAME,plug,localhost,ID,ID,QUERY,test,'select USER(),CURRENT_USER()',0
TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test
index 397dd554962..fa5bd7e1349 100644
--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
@@ -173,6 +173,7 @@ source include/wait_until_count_sessions.inc;
drop user user1@localhost;
set global server_audit_events='';
+set global server_audit_incl_users='root, plug_dest';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c
index fe8bf4478fc..ebb2c6c0a05 100644
--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -1578,22 +1578,27 @@ no_password:
-static int do_log_user(const char *name, int take_lock)
+static int do_log_user(const char *name, int len,
+ const char *proxy, int proxy_len, int take_lock)
{
- size_t len;
int result;
if (!name)
return 0;
- len= strlen(name);
if (take_lock)
flogger_mutex_lock(&lock_operations);
if (incl_user_coll.n_users)
- result= coll_search(&incl_user_coll, name, len) != 0;
+ {
+ result= coll_search(&incl_user_coll, name, len) != 0 ||
+ (proxy && coll_search(&incl_user_coll, proxy, proxy_len) != 0);
+ }
else if (excl_user_coll.n_users)
- result= coll_search(&excl_user_coll, name, len) == 0;
+ {
+ result= coll_search(&excl_user_coll, name, len) == 0 &&
+ (proxy && coll_search(&excl_user_coll, proxy, proxy_len) == 0);
+ }
else
result= 1;
@@ -2134,7 +2139,9 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
}
if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
- cn && (cn->log_always || do_log_user(cn->user, 1)))
+ cn && (cn->log_always || do_log_user(cn->user, cn->user_length,
+ cn->proxy, cn->proxy_length,
+ 1)))
{
const struct mysql_event_general *event =
(const struct mysql_event_general *) ev;
@@ -2154,7 +2161,8 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
{
const struct mysql_event_table *event =
(const struct mysql_event_table *) ev;
- if (do_log_user(event->user, 1))
+ if (do_log_user(event->user, SAFE_STRLEN(event->user),
+ cn->proxy, cn->proxy_length, 1))
{
switch (event->event_subclass)
{