[MDEV-19443] server_audit plugin doesn't log proxy users Created: 2019-05-11 Updated: 2024-01-29 Resolved: 2020-10-23 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System, Plugin - Audit |
| Affects Version/s: | 10.2.24, 10.1.40, 10.3.14, 10.4.4 |
| Fix Version/s: | 10.2.35, 10.3.26, 10.4.16, 10.5.7 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Alexey Botchkov |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||
| Description |
|
The server_audit plugin doesn't log proxy users. This means that it doesn't work well with PAM user mapping: https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/ This seems to be true for all of the log functions: https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1311 https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1333 https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1756 https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1587 However, I see that the API already provides proxy_user in the mysql_event_connection and mysql_event_table classes. https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L86 https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L127 But proxy_user seems to be missing from the mysql_event_general class: https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L52 For example, let's say that I log in as the bob PAM user who is mapped to the dba user:
The audit log will only show the user name bob:
To have a more complete audit trail, shouldn't the plugin log both the original user and the proxy user? |
| Comments |
| Comment by Alexey Botchkov [ 2020-10-23 ] |
|
https://github.com/MariaDB/server/commit/cc1646dae821a136c8368ee84954aac9937abdd4 |