214 lines
6.2 KiB
C
214 lines
6.2 KiB
C
/*
|
|
* Copyright (c) 2020 Huawei Technologies Co.,Ltd.
|
|
*
|
|
* openGauss is licensed under Mulan PSL v2.
|
|
* You can use this software according to the terms and conditions of the Mulan PSL v2.
|
|
* You may obtain a copy of Mulan PSL v2 at:
|
|
*
|
|
* http://license.coscl.org.cn/MulanPSL2
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
|
|
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
|
|
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
|
|
* See the Mulan PSL v2 for more details.
|
|
* ---------------------------------------------------------------------------------------
|
|
*
|
|
* pgaudit.h
|
|
*
|
|
*
|
|
*
|
|
* IDENTIFICATION
|
|
* src/include/pgaudit.h
|
|
*
|
|
* ---------------------------------------------------------------------------------------
|
|
*/
|
|
#ifndef _PGAUDIT_H
|
|
#define _PGAUDIT_H
|
|
|
|
#include "fmgr.h"
|
|
|
|
extern THR_LOCAL bool Audit_delete;
|
|
|
|
#define AUDIT_EXEC_ENABLED (u_sess->attr.attr_security.Audit_enabled && \
|
|
(u_sess->attr.attr_security.Audit_Exec || audit_check_full_audit_user()))
|
|
#define AUDIT_SYSTEM_EXEC_ENABLED (u_sess->attr.attr_security.Audit_enabled && \
|
|
(u_sess->attr.attr_security.audit_system_function_exec || audit_check_full_audit_user()))
|
|
#define AUDIT_COPY_ENABLED (u_sess->attr.attr_security.Audit_enabled && \
|
|
(u_sess->attr.attr_security.Audit_Copy || audit_check_full_audit_user()))
|
|
#define CHECK_AUDIT_DDL(type) ((((unsigned int)u_sess->attr.attr_security.Audit_DDL & (1 << (type))) > 0) \
|
|
|| audit_check_full_audit_user())
|
|
#define CHECK_AUDIT_LOGIN(type) (unsigned int)u_sess->attr.attr_security.Audit_Session & (1 << (type));
|
|
#define PG_QUERY_AUDIT_ARGS_MAX 3
|
|
|
|
extern THR_LOCAL bool am_sysauditor;
|
|
|
|
#ifndef WIN32
|
|
extern int sysauditPipe[2];
|
|
#else
|
|
extern HANDLE sysauditPipe[2];
|
|
#endif
|
|
|
|
extern ThreadId pgaudit_start(void);
|
|
extern void pgaudit_start_all(void);
|
|
extern void pgaudit_stop_all(void);
|
|
extern void allow_immediate_pgaudit_restart(void);
|
|
|
|
// multi-thread audit
|
|
extern int audit_load_thread_index(void);
|
|
|
|
#ifdef EXEC_BACKEND
|
|
extern void PgAuditorMain();
|
|
#endif
|
|
|
|
/* ----------
|
|
* Functions called from backends, the sequence is relevent to struct AuditTypeDescs which should be changed in the same time
|
|
* ----------
|
|
*/
|
|
|
|
typedef enum {
|
|
AUDIT_UNKNOWN_TYPE = 0,
|
|
AUDIT_LOGIN_SUCCESS,
|
|
AUDIT_LOGIN_FAILED,
|
|
AUDIT_USER_LOGOUT,
|
|
AUDIT_SYSTEM_START,
|
|
AUDIT_SYSTEM_STOP,
|
|
AUDIT_SYSTEM_RECOVER,
|
|
AUDIT_SYSTEM_SWITCH,
|
|
AUDIT_LOCK_USER,
|
|
AUDIT_UNLOCK_USER,
|
|
AUDIT_GRANT_ROLE,
|
|
AUDIT_REVOKE_ROLE,
|
|
AUDIT_USER_VIOLATION,
|
|
AUDIT_DDL_DATABASE,
|
|
AUDIT_DDL_DIRECTORY,
|
|
AUDIT_DDL_TABLESPACE,
|
|
AUDIT_DDL_SCHEMA,
|
|
AUDIT_DDL_USER,
|
|
AUDIT_DDL_TABLE,
|
|
AUDIT_DDL_INDEX,
|
|
AUDIT_DDL_VIEW,
|
|
AUDIT_DDL_TRIGGER,
|
|
AUDIT_DDL_FUNCTION,
|
|
AUDIT_DDL_RESOURCEPOOL,
|
|
AUDIT_DDL_WORKLOAD,
|
|
AUDIT_DDL_SERVERFORHADOOP,
|
|
AUDIT_DDL_DATASOURCE,
|
|
AUDIT_DDL_NODEGROUP,
|
|
AUDIT_DDL_ROWLEVELSECURITY,
|
|
AUDIT_DDL_SYNONYM,
|
|
AUDIT_DDL_TYPE,
|
|
AUDIT_DDL_TEXTSEARCH,
|
|
AUDIT_DML_ACTION,
|
|
AUDIT_DML_ACTION_SELECT,
|
|
AUDIT_INTERNAL_EVENT,
|
|
AUDIT_FUNCTION_EXEC,
|
|
AUDIT_SYSTEM_FUNCTION_EXEC,
|
|
AUDIT_COPY_TO,
|
|
AUDIT_COPY_FROM,
|
|
AUDIT_SET_PARAMETER,
|
|
AUDIT_POLICY_EVENT,
|
|
MASKING_POLICY_EVENT,
|
|
SECURITY_EVENT,
|
|
AUDIT_DDL_SEQUENCE, // ddl_sequence in struct AuditTypeDescs
|
|
AUDIT_DDL_KEY,
|
|
AUDIT_DDL_PACKAGE,
|
|
AUDIT_DDL_MODEL,
|
|
AUDIT_DDL_GLOBALCONFIG,
|
|
AUDIT_DDL_PUBLICATION_SUBSCRIPTION,
|
|
AUDIT_DDL_FOREIGN_DATA_WRAPPER,
|
|
AUDIT_DDL_SQL_PATCH,
|
|
AUDIT_DDL_EVENT
|
|
} AuditType;
|
|
|
|
/* keep the same sequence with parameter audit_system_object */
|
|
typedef enum {
|
|
DDL_DATABASE = 0,
|
|
DDL_SCHEMA,
|
|
DDL_USER,
|
|
DDL_TABLE,
|
|
DDL_INDEX,
|
|
DDL_VIEW,
|
|
DDL_TRIGGER,
|
|
DDL_FUNCTION,
|
|
DDL_TABLESPACE,
|
|
DDL_RESOURCEPOOL,
|
|
DDL_WORKLOAD,
|
|
DDL_SERVERFORHADOOP,
|
|
DDL_DATASOURCE,
|
|
DDL_NODEGROUP,
|
|
DDL_ROWLEVELSECURITY,
|
|
DDL_TYPE,
|
|
DDL_TEXTSEARCH,
|
|
DDL_DIRECTORY,
|
|
DDL_SYNONYM,
|
|
DDL_SEQUENCE,
|
|
DDL_KEY,
|
|
DDL_PACKAGE,
|
|
DDL_MODEL,
|
|
DDL_PUBLICATION_SUBSCRIPTION,
|
|
DDL_GLOBALCONFIG,
|
|
DDL_FOREIGN_DATA_WRAPPER,
|
|
DDL_SQL_PATCH,
|
|
DDL_EVENT
|
|
} DDLType;
|
|
|
|
/*
|
|
* Brief : the string field number in audit record
|
|
* Description :
|
|
*/
|
|
typedef enum {
|
|
AUDIT_USER_ID = 0,
|
|
AUDIT_USER_NAME,
|
|
AUDIT_DATABASE_NAME,
|
|
AUDIT_CLIENT_CONNINFO,
|
|
AUDIT_OBJECT_NAME,
|
|
AUDIT_DETAIL_INFO,
|
|
AUDIT_NODENAME_INFO,
|
|
AUDIT_THREADID_INFO,
|
|
AUDIT_LOCALPORT_INFO,
|
|
AUDIT_REMOTEPORT_INFO
|
|
} AuditStringFieldNum;
|
|
|
|
struct AuditElasticEvent {
|
|
const char* aDataType;
|
|
const char* aDataResult;
|
|
const char* auditUserId;
|
|
const char* auditUserName;
|
|
const char* auditDatabaseName;
|
|
const char* clientConnInfo;
|
|
const char* objectName;
|
|
const char* detailInfo;
|
|
const char* nodeNameInfo;
|
|
const char* threadIdInfo;
|
|
const char* localPortInfo;
|
|
const char* remotePortInfo;
|
|
long long eventTime;
|
|
};
|
|
|
|
typedef enum { AUDIT_UNKNOWN = 0, AUDIT_OK, AUDIT_FAILED } AuditResult;
|
|
typedef enum { AUDIT_FUNC_QUERY = 0, AUDIT_FUNC_DELETE } AuditFuncType;
|
|
typedef enum { STD_AUDIT_TYPE = 0, UNIFIED_AUDIT_TYPE } AuditClassType;
|
|
|
|
extern void audit_report(AuditType type, AuditResult result, const char* object_name, const char* detail_info, AuditClassType ctype = STD_AUDIT_TYPE);
|
|
extern Datum pg_query_audit(PG_FUNCTION_ARGS);
|
|
extern Datum pg_delete_audit(PG_FUNCTION_ARGS);
|
|
extern bool pg_auditor_thread(ThreadId pid);
|
|
|
|
/* define a macro about the return value of security function */
|
|
#define check_intval(errno, express, retval, file, line) \
|
|
{ \
|
|
if (errno == -1) { \
|
|
fprintf(stderr, \
|
|
"%s:%d failed on calling " \
|
|
"security function.\n", \
|
|
file, \
|
|
line); \
|
|
express; \
|
|
return retval; \
|
|
} \
|
|
}
|
|
|
|
#define securec_check_intval(val, express, retval) check_intval(val, express, retval, __FILE__, __LINE__)
|
|
|
|
#endif /* _PGAUDIT_H */
|