audit_log plugin filtering not working with audit_log_policy=ALL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
New
|
Undecided
|
Unassigned |
Bug Description
With audit_log_
If audit_log_
mysql> select version();
+---------------+
| version() |
+---------------+
| 5.7.17-11-log |
+---------------+
mysql> select PLUGIN_
+------
| PLUGIN_NAME | PLUGIN_VERSION | LOAD_OPTION |
+------
| audit_log | 0.2 | ON |
+------
Audit plugin configuration set for logging all logins without filtering
mysql> show global variables like 'audit%';
+------
| Variable_name | Value |
+------
| audit_log_
| audit_log_
| audit_log_
| audit_log_
| audit_log_file | /logs/auditlogs
| audit_log_flush | OFF |
| audit_log_format | JSON |
| audit_log_handler | FILE |
| audit_log_
| audit_log_
| audit_log_
| audit_log_policy | LOGINS |
| audit_log_
| audit_log_rotations | 10 |
| audit_log_strategy | ASYNCHRONOUS |
| audit_log_
| audit_log_
| audit_log_
+------
tags: | added: audit |
1. PXC behavior is same as PS. Since PXC haven't changed anything in audit-log it is inheriting the same behavior as PS.
2. Said that, let's understand if PS behavior is correct:
CASE-a:
If audit_log_ policy= ALL and audit_log_ include_ accounts= 'user@% '. Existing connections are not affected. Any commands coming from existing connections will continue to get logged.
New connections will respect the filtering rules.
CASE-b:
audit_log_ policy= LOGINS and audit_log_ include_ accounts= 'user@% '. In this case existing connection commands are also affected. In short, new settings are applied to existing connection too.
But there is small semantics catch.
What is being enforced is audit_log_policy. In this case it is LOGINS and so only LOGINS command should be logged and since existing connection is not opening new logins there is no command to log.
As against this in CASE-a audit_log_ policy= ALL. So existing connections will try to log all the commands and other setting of audit_log_ include_ accounts is not being enforced on existing connection.
------- ------- ------- ------
To summarize:
a. Changes to audit-logs configuration are working as expected with new connection
b. Changes to audit-logs configuration is partially (audit_log_policy is respected but not audit_log_ include_ accounts) being used with existing connection.
------- ------- ------- ------
I have validated the behavior with PS and PXC. Since PXC is only inheriting this issue I will let PS team decide on semantics. PXC will inherit it in due-course.