Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-5439

Audit plugin does not exclude users which are definer for events if audit_log_include|exclude_accounts used

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: On Hold
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None

      Description

      User manual at https://www.percona.com/doc/percona-server/LATEST/management/audit_log_plugin.html#filtering-by-user says:

      >The filtering by user feature adds two new global variables: audit_log_include_accounts and audit_log_exclude_accounts to specify which user accounts should be included or excluded from audit logging

      >
      > Changes of audit_log_include_accounts and audit_log_exclude_accounts do not apply to existing server connections.

      However user manual does not say that filtering applies only to user connections and does not apply to definers of events.

      How to Repeat:

      There are two methods to repeat.

      1. Read the code

      1155   if (event_class == MYSQL_AUDIT_CONNECTION_CLASS)
      1156   {
      ...
      1182 
      1183     local->skip_session= FALSE;
      1184     if (audit_log_include_accounts != NULL &&
      1185         !audit_log_check_account_included(priv_user.str, priv_user.length,
      1186                                           priv_host.str, priv_host.length))
      1187       local->skip_session= TRUE;
      1188     if (audit_log_exclude_accounts != NULL &&
      1189         audit_log_check_account_excluded(priv_user.str, priv_user.length,
      1190                                          priv_host.str, priv_host.length))
      1191       local->skip_session= TRUE;
      
      

      Notice that audit_log_check_account_included and audit_log_check_account_excluded are checked for MYSQL_AUDIT_CONNECTION_CLASS .

      Then grep if they are checked for:

      1202   else if (event_class == MYSQL_AUDIT_GENERAL_CLASS)
      1203   {
      ...
      1295   else if (event_class == MYSQL_AUDIT_TABLE_ACCESS_CLASS)
      1296   {
      
       
      sveta@delly:~/src/percona-server$ grep -R audit_log_check_account_included -n plugin/audit_log/audit_log.c 1185: !audit_log_check_account_included(priv_user.str, priv_user.length,
      sveta@delly:~/src/percona-server$ grep -R audit_log_check_account_excluded -n plugin/audit_log/audit_log.c 1189: audit_log_check_account_excluded(priv_user.str, priv_user.length,
      

      2. Run attached test case

        Smart Checklist

          Attachments

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              sveta.smirnova Sveta Smirnova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: