Filtering by database for audit plugin

Registered by Sergei Glushchenko on 2016-07-04

Description
~~~~~~~~~~~

  Add two global variables:

  - `audit_log_include_databases' comma separated list of databases to
    include in audit logging
  - `audit_log_exclude_databases' comma separated list of databases to
    exclude from audit logging

  The value can be NULL or comma separated list of database names.

  Only one variable can be not NULL at a time. If one is set to be not
  NULL, the attempt to set another one will fail. Empty string means
  empty list.

  Change of `audit_log_include_databases' and
  `audit_log_exclude_databases' does not apply to live connections.

  If query accessing any of databases listed in
  `audit_log_include_databases', the query will be logged.

  If query accessing only databases listed in
  `audit_log_exclude_databases', the query will not be logged.

  Caveats:

  Audit plugin doesn't receive table access notification for queries
  `CREATE TABLE ...'. Such queries will always be logged.

  Example:

        mysql> set global audit_log_include_databases = 'test,mysql,db1';
        Query OK, 0 rows affected (0.00 sec)

        mysql> SET GLOBAL audit_log_include_databases= 'db1,```db3"`';
        Query OK, 0 rows affected (0.00 sec)

        mysql> SET GLOBAL audit_log_exclude_databases = 'test,mysql,db1';
        ERROR 1231 (42000): Variable 'audit_log_exclude_databases can't be set to the value of 'test,mysql,db1'

        mysql> set global audit_log_include_databases = NULL;
        Query OK, 0 rows affected (0.00 sec)

        mysql> SET GLOBAL audit_log_exclude_databases = 'test,mysql,db1';
        Query OK, 0 rows affected (0.00 sec)

Implementation
~~~~~~~~~~~~~~

  *5.7 ONLY*

  5.7 audit API added new type of events called
  `MYSQL_AUDIT_TABLE_ACCESS_CLASS'. It occurs when statement is trying
  to access any table. `struct mysql_event_table_access' has the field
  `table_database' (the name of the database being accessed).

  Changes:

  1. Implement `audit_log_check_account_included' and
     `audit_log_check_account_excluded' in `filter.c' similar to account
     included / excluded checks.
  2. Add two global plugin variables, check and update functions.
  3. When handling `MYSQL_AUDIT_TABLE_ACCESS_CLASS' field count the
     number of accessed databases, the number of included ones and the
     number of excluded ones.
  4. Log query if at least one database has been included.
  5. Log query if number of excluded databases is less than a number of
     accessed databases.

Testing
~~~~~~~

  Test case will be similar to `audit_log_filter_users.test'.

Blueprint information

Status:
Complete
Approver:
Laurynas Biveinis
Priority:
High
Drafter:
Sergei Glushchenko
Direction:
Approved
Assignee:
Sergei Glushchenko
Definition:
Approved
Series goal:
Accepted for 5.7
Implementation:
Implemented
Milestone target:
milestone icon 5.7.14-7
Started by
Sergei Glushchenko on 2016-07-30
Completed by
Sergei Glushchenko on 2016-08-16

Related branches

Sprints

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.