Re: Auditing extension for PostgreSQL (Take 2)

From: Sawada Masahiko <sawada(dot)mshk(at)gmail(dot)com>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc: David Steele <david(at)pgmasters(dot)net>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Auditing extension for PostgreSQL (Take 2)
Date: 2015-03-24 14:28:01
Message-ID: CAD21AoA1-UVvjt0q8wvXBRc83RRwDhBgtRTR5vXByPdKb=e6-g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Mar 24, 2015 at 3:17 AM, Alvaro Herrera
<alvherre(at)2ndquadrant(dot)com> wrote:
> Sawada Masahiko wrote:
>
>> I tied to look into latest patch, but got following error.
>>
>> masahiko [pg_audit] $ LANG=C make
>> gcc -Wall -Wmissing-prototypes -Wpointer-arith
>> -Wdeclaration-after-statement -Wendif-labels
>> -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing
>> -fwrapv -g -fpic -I. -I. -I../../src/include -D_GNU_SOURCE -c -o
>> pg_audit.o pg_audit.c
>> pg_audit.c: In function 'log_audit_event':
>> pg_audit.c:456: warning: ISO C90 forbids mixed declarations and code
>> pg_audit.c: In function 'pg_audit_ddl_command_end':
>> pg_audit.c:1436: error: 'pg_event_trigger_expand_command' undeclared
>> (first use in this function)
>
> You need to apply my deparsing patch first, last version of which I
> posted here:
> https://www.postgresql.org/message-id/20150316234406.GH3636@alvh.no-ip.org
>

Thank you for the info.
I've applied these patchese successfully.

I looked into this module, and had a few comments as follows.
1. pg_audit audits only one role currently.
In currently code, we can not multiple user as auditing user. Why?
(Sorry if this topic already has been discussed.)

2. OBJECT auditing does not work before adding acl info to pg_class.rel_acl.
In following situation, pg_audit can not audit OBJECT log.
$ cat postgresql.conf | grep audit
shared_preload_libraries = 'pg_audit'
pg_audit.role = 'hoge_user'
pg_audit.log = 'read, write'
$ psql -d postgres -U hoge_user
=# create table hoge(col int);
=# select * from hoge;
LOG: AUDIT: SESSION,3,1,READ,SELECT,,,select * from hoge;

OBJECT audit log is not logged here since pg_class.rel_acl is empty
yet. (Only logged SESSION log)
So after creating another unconcerned role and grant any privilege to that user,
OBJECT audit is logged successfully.

=# create role bar_user;
=# grant select on hoge to bar_user;
=# select * from hoge;
LOG: AUDIT: SESSION,4,1,READ,SELECT,,,select * from hoge;
LOG: AUDIT: OBJECT,4,1,READ,SELECT,TABLE,public.hoge,select * from hoge;

The both OBJCET and SESSION log are logged.

3. pg_audit logged OBJECT log even EXPLAIN command.
EXPLAIN command does not touch the table actually, but pg_audit writes
audit OBJECT log.
I'm not sure we need to log it. Is it intentional?

Regards,

-------
Sawada Masahiko

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message David Steele 2015-03-24 14:28:38 Re: recovery_target_time ignored ?
Previous Message Bruce Momjian 2015-03-24 14:05:12 Re: Zero-padding and zero-masking fixes for to_char(float)