*: log some crucial sql for user/privilege related operations. (#3557)
This commit is contained in:
tiancaiamao
14
ast/misc.go
14
ast/misc.go
@ -414,6 +414,20 @@ type UserSpec struct {
|
||||
AuthOpt *AuthOption
|
||||
}
|
||||
|
||||
// SecurityString formats the UserSpec without password information.
|
||||
func (u *UserSpec) SecurityString() string {
|
||||
withPassword := false
|
||||
if opt := u.AuthOpt; opt != nil {
|
||||
if len(opt.AuthString) > 0 || len(opt.HashString) > 0 {
|
||||
withPassword = true
|
||||
}
|
||||
}
|
||||
if withPassword {
|
||||
return fmt.Sprintf("{%s password = ***}", u.User)
|
||||
}
|
||||
return u.User
|
||||
}
|
||||
|
||||
// CreateUserStmt creates user account.
|
||||
// See https://dev.mysql.com/doc/refman/5.7/en/create-user.html
|
||||
type CreateUserStmt struct {
|
||||
|
||||
@ -465,7 +465,9 @@ func (do *Domain) LoadPrivilegeLoop(ctx context.Context) error {
|
||||
}
|
||||
err := do.privHandle.Update(ctx)
|
||||
if err != nil {
|
||||
log.Error("load privilege fail:", errors.ErrorStack(err))
|
||||
log.Error("[domain] load privilege fail:", errors.ErrorStack(err))
|
||||
} else {
|
||||
log.Info("[domain] reload privilege success.")
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
30
session.go
30
session.go
@ -628,6 +628,8 @@ func (s *session) Execute(sql string) ([]ast.RecordSet, error) {
|
||||
if r != nil {
|
||||
rs = append(rs, r)
|
||||
}
|
||||
|
||||
logCrucialStmt(rst)
|
||||
}
|
||||
|
||||
if s.sessionVars.ClientCapability&mysql.ClientMultiResults == 0 && len(rs) > 1 {
|
||||
@ -1161,3 +1163,31 @@ func (s *session) ShowProcess() util.ProcessInfo {
|
||||
}
|
||||
return pi
|
||||
}
|
||||
|
||||
// logCrucialStmt logs some crucial SQL including: CREATE USER/GRANT PRIVILEGE/CHANGE PASSWORD etc.
|
||||
func logCrucialStmt(node ast.StmtNode) {
|
||||
switch stmt := node.(type) {
|
||||
case *ast.CreateUserStmt:
|
||||
for _, user := range stmt.Specs {
|
||||
log.Infof("[CRUCIAL OPERATION] create user %s.", user.SecurityString())
|
||||
}
|
||||
case *ast.DropUserStmt:
|
||||
log.Infof("[CRUCIAL OPERATION] drop user %v.", stmt.UserList)
|
||||
case *ast.AlterUserStmt:
|
||||
for _, user := range stmt.Specs {
|
||||
log.Infof("[CRUCIAL OPERATION] alter user %s.", user.SecurityString())
|
||||
}
|
||||
case *ast.SetPwdStmt:
|
||||
log.Infof("[CRUCIAL OPERATION] set password for user %s.", stmt.User)
|
||||
case *ast.GrantStmt:
|
||||
text := stmt.Text()
|
||||
// Filter "identified by xxx" because it would expose password information.
|
||||
idx := strings.Index(strings.ToLower(text), "identified")
|
||||
if idx > 0 {
|
||||
text = text[:idx]
|
||||
}
|
||||
log.Infof("[CRUCIAL OPERATION] %s.", text)
|
||||
case *ast.RevokeStmt:
|
||||
log.Infof("[CRUCIAL OPERATION] %s.", stmt.Text())
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user