Percona Server moved to https://jira.percona.com/projects/PS

Filtering by users for audit log plugin

Registered by Sergei Glushchenko

Add two global variables:
- audit_log_include_accounts: accounts to include in audit logging.
- audit_log_exclude_accounts: accounts to exclude from audit logging.

The value can be NULL or comma separated list of accounts in form
user@host or 'user'@'host' (if user or host contains comma).

Only one variable can be not NULL at a time. If one is set to be not
NULL, the attempt to set another one will fail. Empty string means
empty list.

Change of audit_log_include_accounts and
audit_log_exclude_accounts does not apply to live connections.

Example:

         mysql> SET GLOBAL audit_log_include_accounts = 'user1@localhost,root@localhost';
         Query OK, 0 rows affected (0.00 sec)

         mysql> SET GLOBAL audit_log_exclude_accounts = 'user1@localhost,root@localhost';
         ERROR 1231 (42000): Variable 'audit_log_exclude_accounts' can't be set to the value of 'user1@localhost,root@localhost'
         mysql> SET GLOBAL audit_log_include_accounts = NULL;
         Query OK, 0 rows affected (0.00 sec)

         mysql> SET GLOBAL audit_log_exclude_accounts = 'user1@localhost,root@localhost';
         Query OK, 0 rows affected (0.00 sec)

         mysql> SET GLOBAL audit_log_exclude_accounts = "'user'@'host'";
         Query OK, 0 rows affected (0.00 sec)

         mysql> SET GLOBAL audit_log_exclude_accounts = '''user''@''host''';
         Query OK, 0 rows affected (0.00 sec)

         mysql> SET GLOBAL audit_log_exclude_accounts = '\'user\'@\'host\'';
         Query OK, 0 rows affected (0.00 sec)

         mysql> SELECT @@audit_log_exclude_accounts;
         +------------------------------+
         | @@audit_log_exclude_accounts |
         +------------------------------+
         | 'user'@'host' |
         +------------------------------+
         1 row in set (0.00 sec)

Account names for 5.6 are ones that logged in audit log, for 5.7 they
are ones from `mysql.user' table. For example we created a user:

         mysql> create user 'user1'@'%' identified by '111';
         Query OK, 0 rows affected (0.00 sec)

This is what we see when `user1' connected from `localhost':

,----
| <AUDIT_RECORD
| NAME="Connect"
| RECORD="21_2016-06-30T09:29:51"
| TIMESTAMP="2016-06-30T09:35:04 UTC"
| CONNECTION_ID="6"
| STATUS="0"
| USER="user1" ;; this is a 'user' part of account in 5.6
| PRIV_USER="user1"
| OS_LOGIN=""
| PROXY_USER=""
| HOST="localhost" ;; this is a 'host' part of account in 5.6
| IP=""
| DB=""
| />
`----

To exclude `user1' from logging in 5.6 we must set:

      SET GLOBAL audit_log_exclude_accounts = 'user1@localhost';

In 5.7:

      SET GLOBAL audit_log_exclude_accounts = 'user1@%';

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
Sergei Glushchenko
Direction:
Approved
Assignee:
Sergei Glushchenko
Definition:
Approved
Series goal:
Accepted for 5.6
Implementation:
Implemented
Milestone target:
milestone icon 5.6.32-78.0
Started by
Sergei Glushchenko
Completed by
Sergei Glushchenko

Related branches

Sprints

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.