Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19443

server_audit plugin doesn't log proxy users

    Details

      Description

      The server_audit plugin doesn't log proxy users. This means that it doesn't work well with PAM user mapping:

      https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/

      This seems to be true for all of the log functions:

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1311

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1333

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1756

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1587

      However, I see that the API already provides proxy_user in the mysql_event_connection and mysql_event_table classes.

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L86

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L127

      But proxy_user seems to be missing from the mysql_event_general class:

      https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L52

      For example, let's say that I log in as the bob PAM user who is mapped to the dba user:

      [ec2-user@ip-172-30-0-249 ~]$ mysql -u bob
      [mariadb] Password:
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 13
      Server version: 10.1.39-MariaDB MariaDB Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> SELECT USER(), CURRENT_USER();
      +---------------+----------------+
      | USER()        | CURRENT_USER() |
      +---------------+----------------+
      | bob@localhost | dba@%          |
      +---------------+----------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> SELECT 1;
      +---+
      | 1 |
      +---+
      | 1 |
      +---+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> \q
      Bye
      

      The audit log will only show the user name bob:

      20190511 22:50:30,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,0,CONNECT,,,0
      20190511 22:50:30,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,21,QUERY,,'select @@version_comment limit 1',0
      20190511 22:50:32,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,22,QUERY,,'SELECT USER(), CURRENT_USER()',0
      20190511 22:50:40,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,23,QUERY,,'SELECT 1',0
      20190511 22:50:43,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,0,DISCONNECT,,,0
      

      To have a more complete audit trail, shouldn't the plugin log both the original user and the proxy user?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                holyfoot Alexey Botchkov
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: