hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[FEAT MERGE] 开源裁减颗粒度优化

Browse Source 
Co-authored-by: nroskill <nroskill@gmail.com>
Co-authored-by: akaError <lzg020616@163.com>
Co-authored-by: yinyj17 <yinyijun92@gmail.com>
This commit is contained in:
wenxingsen
2023-08-15 02:40:25 +00:00
committed by ob-robot
parent a31e422133
commit 9b31f8aa03
378 changed files with 26718 additions and 2379 deletions
Download Patch File Download Diff File Expand all files Collapse all files

179
src/sql/monitor/ob_security_audit.h
View File

@ -23,6 +23,185 @@ namespace oceanbase
{
namespace sql
{
#ifdef OB_BUILD_AUDIT_SECURITY
//Audit file /data/log1/oracle/oracle/admin/orcl/adump/orcl_ora_998570_20181225191358365255143795.aud
//Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
//Build label: RDBMS_12.2.0.1.0_LINUX.X64_170125
//ORACLE_HOME: /data/log1/oracle/oracle/product/12.2.0
//System name: Linux
//Node name: OceanBase004065.sqa.ztt
//Release: 3.10.0-327.ali2000.alios7.x86_64
//Version: #1 SMP Tue Dec 29 19:54:05 CST 2015
//Machine: x86_64
//Instance name: orcl
//Redo thread mounted by this instance: 1
//Oracle process number: 165
//Unix process pid: 998570, image: oracle@OceanBase004065.sqa.ztt
//
//Tue Dec 25 19:13:58 2018 +08:00
//LENGTH : '336'
//ACTION :[7] 'CONNECT'
//DATABASE USER:[3] 'SYS'
//PRIVILEGE :[6] 'SYSDBA'
//CLIENT USER:[9] 'xiaoyi.xy'
//CLIENT TERMINAL:[5] 'pts/7'
//STATUS:[1] '0'
//DBID:[10] '1492669708'
//SESSIONID:[10] '4294967295'
//USERHOST:[23] 'OceanBase224012.sqa.bja'
//CLIENT ADDRESS:[56] '(ADDRESS=(PROTOCOL=tcp)(HOST=10.125.224.12)(PORT=53119))'
//ACTION NUMBER:[3] '100'
class ObSecurityAuditData : public common::ObBasebLogPrint
{
public:
ObSecurityAuditData()
: ObBasebLogPrint(), is_const_filled_(false), length_(0), svr_port_(0), tenant_id_(0),
user_id_(0), effective_user_id_(0), proxy_session_id_(0), session_id_(0),
entry_id_(0), statement_id_(0), commit_version_(0), trace_id_{0}, db_id_(0), cur_db_id_(0),
sql_timestamp_us_(0), record_timestamp_us_(0), audit_id_(0), audit_type_(0),
operation_type_(0), action_id_(0), return_code_(0),
logoff_logical_read_(0), logoff_physical_read_(0), logoff_logical_write_(0),
logoff_lock_count_(0), logoff_cpu_time_us_(0), logoff_exec_time_us_(0),
logoff_alive_time_us_(0)
{}
virtual ~ObSecurityAuditData() {}
void reset() { new (this) ObSecurityAuditData(); }
TO_STRING_KV(K_(is_const_filled), K_(svr_ip), K_(svr_port), K_(tenant_id), K_(tenant_name),
K_(user_id), K_(user_name), K_(effective_user_id), K_(effective_user_name),
K_(client_ip), K_(user_client_ip), K_(proxy_session_id), K_(session_id),
K_(entry_id), K_(statement_id), K_(trans_id), K_(commit_version),
K(trace_id_[0]), K(trace_id_[1]), K_(cur_db_id), K_(cur_db_name),
K_(db_id), K_(db_name), K_(sql_timestamp_us), K_(record_timestamp_us),
K_(audit_id), K_(audit_type), K_(operation_type), K_(action_id),
K_(return_code), K_(sql_text), K_(auth_privileges), K_(auth_grantee));
void calc_total_length();
virtual int64_t get_data_length() const { return length_; }
virtual int64_t get_timestamp() const { return record_timestamp_us_; }
virtual int print_data(char *buf, int64_t buf_len, int64_t &pos) const;
inline static uint64_t get_next_entry_id()
{
static uint64_t next_entry_id = 1;
return ATOMIC_FAA(&next_entry_id, 1);
}
public:
bool is_const_filled_;
//refers to the total number of bytes used in this audit record.
//This number includes the trailing newline bytes (\n), if any,
//at the end of the audit record.
int64_t length_;
//SERVER ADDR
common::ObString svr_ip_;
int32_t svr_port_;
//TENANTID
uint64_t tenant_id_;
//CLIENT TENANT
common::ObString tenant_name_;
//USERID
uint64_t user_id_;
common::ObString user_name_;
uint64_t effective_user_id_;
common::ObString effective_user_name_;
//Client host machine name
//CLIENT ADDRESS
common::ObString client_ip_;
//PROXY_CLIENT ADDRESS
common::ObString user_client_ip_;
//OB_PROXY_SESSIONID
uint64_t proxy_session_id_;
//Numeric ID for each Oracle session. Each user session gets a unique session ID.
//SESSIONID
uint64_t session_id_;
//indicates the current audit entry number, assigned to each audit trail record.
//The audit ENTRYID sequence number is shared between fine-grained audit records
//and regular audit records
//ENTRYID
uint64_t entry_id_;
//nth statement in the user session. The first SQL statement gets a value of 1 and
//the value is incremented for each subsequent SQL statement.
//Note that one SQL statement can create more than one audit trail entry
//(for example, when more than one object is audited from the same SQL statement),
//and in this case the statement ID remains the same for that statement
//and the entry ID increases for each audit trail entry created by the statement.
//STATEMENT
uint64_t statement_id_;
common::ObString trans_id_;
int64_t commit_version_;
uint64_t trace_id_[2];
//is a database identifier calculated when the database is created.
//It corresponds to the DBID column of the V$DATABASE data dictionary view.
uint64_t db_id_;
uint64_t cur_db_id_;
//DATABASE USER
common::ObString db_name_;
common::ObString cur_db_name_;
int64_t sql_timestamp_us_;
//Date and time of the creation of the audit trail entry in the local database session time zone
int64_t record_timestamp_us_;
uint64_t audit_id_;
uint64_t audit_type_;
uint64_t operation_type_;
//is a numeric value representing the action the user performed.
//The corresponding name of the action type is in the AUDIT_ACTIONS table.
//For example, action 100 refers to LOGON
//ACTION_NUMBER
uint64_t action_id_;
//indicates if the audited action was successful. 0 indicates success.
//If the action fails, the return code lists the Oracle Database error number.
//For example, if you try to drop a non-existent table, the error number
//is ORA-00903 invalid table name, which in turn translates to 903 in the RETURNCODE setting.
//RETURNCODE
int return_code_;
common::ObString obj_owner_name_;
common::ObString obj_name_;
common::ObString new_obj_owner_name_;
common::ObString new_obj_name_;
common::ObString auth_privileges_;
common::ObString auth_grantee_;
uint64_t logoff_logical_read_;
uint64_t logoff_physical_read_;
uint64_t logoff_logical_write_;
uint64_t logoff_lock_count_;
common::ObString logoff_dead_lock_;
uint64_t logoff_cpu_time_us_;
uint64_t logoff_exec_time_us_;
uint64_t logoff_alive_time_us_;
common::ObString comment_text_;
common::ObString sql_bind_;
common::ObString sql_text_;
};
#endif
} //namespace sql
} //namespace oceanbase
#endif

280
src/sql/monitor/ob_security_audit_utils.h
View File

@ -21,6 +21,7 @@
namespace oceanbase
{
#ifndef OB_BUILD_AUDIT_SECURITY
namespace sql
{
enum class ObAuditTrailType{
@ -46,6 +47,285 @@ public:
int64_t &pos);
};
}
#else
namespace share
{
namespace schema
{
enum ObSAuditOperationType : uint64_t;
enum ObSAuditType : uint64_t;
enum class ObObjectType;
struct ObObjectStruct;
class ObSchemaGetterGuard;
}
}
namespace sql
{
class ObStmt;
class ObPhysicalPlan;
class ObSQLSessionInfo;
class ObSecurityAuditData;
class ObResultSet;
enum class ObAuditTrailType{
INVALID = 0,
NONE,
OS,
DB,
DB_EXTENDED,
};
ObAuditTrailType get_audit_trail_type_from_string(const common::ObString &string);
// 定义可以被审计的一个元素
// 记录一个对象和对其进行的操作,如 (SELECT, TABLE T1)
// 或者一个没有对应对象的操作,如 (LOGIN, NULL)
struct ObAuditUnit
{
ObAuditUnit() : stmt_type_(sql::stmt::T_NONE),
obj_type_(share::schema::ObObjectType::INVALID),
obj_id_(common::OB_INVALID_ID),
obj_idx_(-1),
stmt_operation_type_(share::schema::AUDIT_OP_INVALID),
obj_operation_type_(share::schema::AUDIT_OP_INVALID) {}
ObAuditUnit(
sql::stmt::StmtType stmt_type,
share::schema::ObObjectType obj_type,
uint64_t obj_id,
int64_t obj_idx,
share::schema::ObSAuditOperationType stmt_operation_type,
share::schema::ObSAuditOperationType obj_operation_type)
: stmt_type_(stmt_type), obj_type_(obj_type), obj_id_(obj_id), obj_idx_(obj_idx),
stmt_operation_type_(stmt_operation_type), obj_operation_type_(obj_operation_type) {}
~ObAuditUnit() {};
sql::stmt::StmtType stmt_type_;
share::schema::ObObjectType obj_type_;
uint64_t obj_id_;
int64_t obj_idx_;
share::schema::ObSAuditOperationType stmt_operation_type_;
share::schema::ObSAuditOperationType obj_operation_type_;
TO_STRING_KV(K_(stmt_type), K_(obj_type), K_(obj_id), K_(obj_idx), K_(stmt_operation_type),
K_(obj_operation_type));
};
class ObSecurityAuditUtils final
{
public:
struct AuditDataParam {
AuditDataParam() : audit_id_(0), audit_type_(0),
operation_type_(0), action_id_(0),
db_id_(0), action_sql_(), comment_text_(), return_code_(0),
sys_privilege_(0), grant_option_(0),
audit_option_(share::schema::AUDIT_OP_INVALID), grantee_(),
stmt_type_(stmt::StmtType::T_NONE), stmt_(NULL)
{
MEMSET(client_ip_buf_, 0, sizeof(client_ip_buf_));
MEMSET(server_ip_buf_, 0, sizeof(server_ip_buf_));
MEMSET(trans_id_buf_, 0, sizeof(trans_id_buf_));
MEMSET(auth_privileges_buf_, 0, sizeof(auth_privileges_buf_));
}
int64_t to_string(char *buf, const int64_t buf_len) const
{
int64_t pos = 0;
J_OBJ_START();
J_KV(K_(client_ip_buf),
K_(server_ip_buf),
K_(trans_id_buf),
K_(auth_privileges_buf),
K_(audit_id),
K_(audit_type),
K_(operation_type),
K_(db_id),
K_(action_sql),
K_(comment_text),
K_(return_code),
K_(sys_privilege),
K_(grant_option),
K_(audit_option),
K_(grantee),
K_(stmt_type),
KP_(stmt));
J_OBJ_END();
return pos;
}
char client_ip_buf_[common::OB_IP_STR_BUFF];
char server_ip_buf_[common::OB_IP_STR_BUFF];
char trans_id_buf_[common::OB_MAX_TRANS_ID_BUFFER_SIZE];
char auth_privileges_buf_[common::MAX_COLUMN_PRIVILEGE_LENGTH];
uint64_t audit_id_;
uint64_t audit_type_;
uint64_t operation_type_;
int64_t action_id_;
uint64_t db_id_;
common::ObString action_sql_;
common::ObString comment_text_;
int return_code_;
uint64_t sys_privilege_;
uint64_t grant_option_;
share::schema::ObSAuditOperationType audit_option_;
common::ObString grantee_;
stmt::StmtType stmt_type_;
const sql::ObStmt *stmt_;
};
struct AuditActionTypeTransform
{
public:
AuditActionTypeTransform()
: audit_action_type_from_stmt_()
{
for (int j = 0; j < ARRAYSIZEOF(audit_action_type_from_stmt_); j++) {
audit_action_type_from_stmt_[j] = audit::ACTION_TYPE_UNKNOWN;
}
#define OB_STMT_TYPE_DEF(stmt_type, priv_check_func, id, action_type) audit_action_type_from_stmt_[stmt::stmt_type] = audit::action_type;
#include "sql/resolver/ob_stmt_type.h"
#undef OB_STMT_TYPE_DEF
}
audit::AuditActionType audit_action_type_from_stmt_[stmt::T_MAX + 1];
};
typedef int (*ObCheckAllowAuditFunc) (ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
public:
ObSecurityAuditUtils() {}
static int handle_security_audit(ObSQLSessionInfo &session,
const stmt::StmtType stmt_type,
const common::ObString &action_sql,
const common::ObString &comment_text,
const int return_code);
static int handle_security_audit(ObResultSet &result,
share::schema::ObSchemaGetterGuard *schema_guard,
const sql::ObStmt *stmt,
const common::ObString &comment_text,
const int return_code);
static int check_allow_audit(ObSQLSessionInfo &session, bool &allow_audit);
static int check_allow_audit(ObSQLSessionInfo &session, ObAuditTrailType &at_type);
static int do_security_audit_record(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const sql::ObStmt *stmt,
ObResultSet *result,
AuditDataParam &filled_param,
const ObAuditTrailType at_type);
static int gen_audit_records(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard &schema_guard,
AuditDataParam &param,
const sql::ObStmt *stmt,
const ObAuditUnit &audit_unit,
const ObAuditTrailType at_type);
static int gen_single_audit_record(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard &schema_guard,
const AuditDataParam &param,
const sql::ObStmt *stmt,
const ObAuditUnit &audit_unit,
const ObAuditTrailType at_type);
static int fill_audit_data(ObSQLSessionInfo &session,
const AuditDataParam &param,
const sql::ObStmt *stmt,
ObSecurityAuditData &security_audit_data);
static int fill_audit_obj_name(const AuditDataParam &param,
share::schema::ObSchemaGetterGuard &schema_guard,
const sql::ObStmt *stmt,
const ObAuditUnit &audit_unit,
ObSecurityAuditData &saudit_data);
static int fill_audit_obj_name_from_stmt(const AuditDataParam &param,
share::schema::ObSchemaGetterGuard &schema_guard,
const sql::ObStmt *stmt,
const ObAuditUnit &audit_unit,
ObSecurityAuditData &saudit_data);
static int record_audit_data(const ObAuditTrailType at_type,
ObSecurityAuditData &security_audit_data);
static int record_audit_data_into_table(ObSecurityAuditData &security_audit_data,
const bool need_record_sql);
static int get_action_sql(const stmt::StmtType stmt_type, const sql::ObStmt *stmt,
ObSQLSessionInfo &session, common::ObString &action_sql);
static int get_audit_units(const stmt::StmtType stmt_type,
const sql::ObStmt *basic_stmt,
common::ObIArray<ObAuditUnit> &audit_units);
static int get_audit_units_in_subquery(const sql::ObDMLStmt *basic_stmt,
common::ObIArray<ObAuditUnit> &audit_units);
static int get_stmt_operation_type_from_stmt(const stmt::StmtType stmt_type,
const sql::ObStmt *stmt, share::schema::ObSAuditOperationType &operation_type);
static int get_object_operation_type_from_stmt(const stmt::StmtType stmt_type,
sql::ObStmt *stmt,
share::schema::ObSAuditOperationType &operation_type,
common::ObIArray<share::schema::ObObjectStruct> &object_ids);
static int get_dml_objects(const sql::ObDMLStmt *stmt,
common::ObIArray<share::schema::ObObjectStruct> &object_ids);
static int get_uniq_sequences_in_dml(const sql::ObDMLStmt *stmt,
common::hash::ObHashSet<uint64_t> &object_ids);
// 下面一系列函数各种检查一种场景的审计规则,符合ObCheckAllowAuditFunc接口
// 检查是否命中指定用户的语句审计规则
static int check_allow_stmt_operation(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
// 检查是否命中不指定用户的语句审计规则
static int check_allow_stmt_all_user_operation(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
// 检查是否命中not exist规则,此类规则根据返回码判断,和其他语句审计规则根据stmt_type判断的逻辑不同
static int check_allow_not_exist_operation(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
// 检查是否命中对象审计规则
static int check_allow_obj_operation(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
// 新增审计规则时,如果这条语句自身满足新增的规则,则也需要被审计
static int check_allow_self_audit_operation(ObSQLSessionInfo &session,
share::schema::ObSchemaGetterGuard *schema_guard,
const ObAuditUnit &audit_unit,
AuditDataParam &filled_param,
bool &is_allow_audit);
static share::schema::ObObjectType get_object_type_from_audit_type(
const share::schema::ObSAuditType type);
static share::schema::ObSAuditType get_audit_type_from_object_type(
const share::schema::ObObjectType type);
static bool is_not_exist_errno(const int errcode);
static int print_obj_privs_to_buff(char *buf,
const int64_t buf_len,
int64_t &pos,
const stmt::StmtType stmt_type,
const share::ObRawObjPrivArray &obj_priv_array,
const uint64_t grant_option);
static int print_admin_option_to_buff(char *buf,
const int64_t buf_len,
int64_t &pos,
const stmt::StmtType stmt_type,
uint64_t option);
static int get_audit_file_name(char *buf,
const int64_t buf_len,
int64_t &pos);
static int get_action_type_from_stmt_type(const stmt::StmtType stmt_type,
const sql::ObStmt *stmt,
audit::AuditActionType &action_type);
static common::ObString get_action_type_string(const audit::AuditActionType action_type);
static const common::ObString audit_action_type_string[];
private:
static const char* priv_names[];
static const ObCheckAllowAuditFunc check_allow_audit_funcs_[];
static const int check_allow_funcs_nums_;
};
} //namespace sql
#endif
} //namespace oceanbase
#endif

4
src/sql/monitor/ob_security_audit_utils_os.cpp
View File

@ -9,7 +9,7 @@
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
* See the Mulan PubL v2 for more details.
*/
#ifndef OB_BUILD_AUDIT_SECURITY
#define USING_LOG_PREFIX SQL_MONITOR
#include "sql/monitor/ob_security_audit_utils.h"
@ -50,4 +50,4 @@ int ObSecurityAuditUtils::get_audit_file_name(char *buf, const int64_t buf_len,
} //namespace sql
} //namespace oceanbase
#endif