Commit 5a9484b7 authored by Alexey Botchkov's avatar Alexey Botchkov

MDEV-19443 server_audit plugin doesn't log proxy users.

PROXY_USER event added.

Conflicts:
	plugin/server_audit/server_audit.c
parent 81870e49
...@@ -227,6 +227,21 @@ set global server_audit_logging= on; ...@@ -227,6 +227,21 @@ set global server_audit_logging= on;
disconnect cn1; disconnect cn1;
drop user user1@localhost; drop user user1@localhost;
set global server_audit_events=''; set global server_audit_events='';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
connect plug_con,localhost,plug,plug_dest;
ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
GRANT PROXY ON plug_dest TO plug;
connect plug_con,localhost,plug,plug_dest;
connection plug_con;
select USER(),CURRENT_USER();
USER() CURRENT_USER()
plug@localhost plug_dest@%
connection default;
disconnect plug_con;
DROP USER plug;
DROP USER plug_dest;
set global server_audit_query_log_limit= 15; set global server_audit_query_log_limit= 15;
select (1), (2), (3), (4); select (1), (2), (3), (4);
1 2 3 4 1 2 3 4
...@@ -404,6 +419,46 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv, ...@@ -404,6 +419,46 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping, TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug IDENTIFIED WITH \'test_plugin_server\' AS \'plug_dest\'',0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug_dest IDENTIFIED BY *****',0
TIME,HOSTNAME,plug,localhost,ID,0,FAILED_CONNECT,,,ID
TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,,,0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0
TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0
TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0
TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug',0
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug_dest',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select \'A\', ',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select \'A\', ',0
......
--source include/have_plugin_auth.inc
--source include/not_embedded.inc --source include/not_embedded.inc
if (!$SERVER_AUDIT_SO) { if (!$SERVER_AUDIT_SO) {
...@@ -174,6 +174,25 @@ drop user user1@localhost; ...@@ -174,6 +174,25 @@ drop user user1@localhost;
set global server_audit_events=''; set global server_audit_events='';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
--sleep 2
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_ACCESS_DENIED_ERROR : this should fail : no grant
connect(plug_con,localhost,plug,plug_dest);
--sleep 2
GRANT PROXY ON plug_dest TO plug;
--sleep 2
connect(plug_con,localhost,plug,plug_dest);
connection plug_con;
select USER(),CURRENT_USER();
connection default;
disconnect plug_con;
--sleep 2
--sleep 2
DROP USER plug;
DROP USER plug_dest;
set global server_audit_query_log_limit= 15; set global server_audit_query_log_limit= 15;
select (1), (2), (3), (4); select (1), (2), (3), (4);
select 'A', 'B', 'C', 'D'; select 'A', 'B', 'C', 'D';
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
#define PLUGIN_VERSION 0x104 #define PLUGIN_VERSION 0x104
#define PLUGIN_STR_VERSION "1.4.8" #define PLUGIN_STR_VERSION "1.4.10"
#define _my_thread_var loc_thread_var #define _my_thread_var loc_thread_var
...@@ -326,6 +326,10 @@ struct connection_info ...@@ -326,6 +326,10 @@ struct connection_info
char query_buffer[1024]; char query_buffer[1024];
time_t query_time; time_t query_time;
int log_always; int log_always;
char proxy[64];
int proxy_length;
char proxy_host[64];
int proxy_host_length;
}; };
#define DEFAULT_FILENAME_LEN 16 #define DEFAULT_FILENAME_LEN 16
...@@ -1130,9 +1134,13 @@ static void setup_connection_simple(struct connection_info *ci) ...@@ -1130,9 +1134,13 @@ static void setup_connection_simple(struct connection_info *ci)
ci->ip_length= 0; ci->ip_length= 0;
ci->query_length= 0; ci->query_length= 0;
ci->header= 0; ci->header= 0;
ci->proxy_length= 0;
} }
#define MAX_HOSTNAME 61
#define USERNAME_LENGTH 384
static void setup_connection_connect(struct connection_info *cn, static void setup_connection_connect(struct connection_info *cn,
const struct mysql_event_connection *event) const struct mysql_event_connection *event)
{ {
...@@ -1149,6 +1157,29 @@ static void setup_connection_connect(struct connection_info *cn, ...@@ -1149,6 +1157,29 @@ static void setup_connection_connect(struct connection_info *cn,
get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip), get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip),
event->ip, event->ip_length); event->ip, event->ip_length);
cn->header= 0; cn->header= 0;
if (event->proxy_user && event->proxy_user[0])
{
const char *priv_host= event->proxy_user +
sizeof(char[MAX_HOSTNAME+USERNAME_LENGTH+5]);
size_t priv_host_length;
if (mysql_57_started)
{
priv_host+= sizeof(size_t);
priv_host_length= *(size_t *) (priv_host + MAX_HOSTNAME);
}
else
priv_host_length= strlen(priv_host);
get_str_n(cn->proxy, &cn->proxy_length, sizeof(cn->proxy),
event->priv_user, event->priv_user_length);
get_str_n(cn->proxy_host, &cn->proxy_host_length,
sizeof(cn->proxy_host),
priv_host, priv_host_length);
}
else
cn->proxy_length= 0;
} }
...@@ -1348,6 +1379,31 @@ static size_t log_header(char *message, size_t message_len, ...@@ -1348,6 +1379,31 @@ static size_t log_header(char *message, size_t message_len,
} }
static int log_proxy(const struct connection_info *cn,
const struct mysql_event_connection *event)
{
time_t ctime;
size_t csize;
char message[1024];
(void) time(&ctime);
csize= log_header(message, sizeof(message)-1, &ctime,
servhost, servhost_len,
cn->user, cn->user_length,
cn->host, cn->host_length,
cn->ip, cn->ip_length,
event->thread_id, 0, "PROXY_CONNECT");
csize+= my_snprintf(message+csize, sizeof(message) - 1 - csize,
",%.*s,`%.*s`@`%.*s`,%d", cn->db_length, cn->db,
cn->proxy_length, cn->proxy,
cn->proxy_host_length, cn->proxy_host,
event->status);
message[csize]= '\n';
return write_log(message, csize + 1, 1);
}
static int log_connection(const struct connection_info *cn, static int log_connection(const struct connection_info *cn,
const struct mysql_event_connection *event, const struct mysql_event_connection *event,
const char *type) const char *type)
...@@ -2009,9 +2065,13 @@ static void update_connection_info(struct connection_info *cn, ...@@ -2009,9 +2065,13 @@ static void update_connection_info(struct connection_info *cn,
{ {
case MYSQL_AUDIT_CONNECTION_CONNECT: case MYSQL_AUDIT_CONNECTION_CONNECT:
setup_connection_connect(cn, event); setup_connection_connect(cn, event);
if (event->status == 0 && event->proxy_user && event->proxy_user[0])
log_proxy(cn, event);
break; break;
case MYSQL_AUDIT_CONNECTION_CHANGE_USER: case MYSQL_AUDIT_CONNECTION_CHANGE_USER:
*after_action= AA_CHANGE_USER; *after_action= AA_CHANGE_USER;
if (event->proxy_user && event->proxy_user[0])
log_proxy(cn, event);
break; break;
default:; default:;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment