From 0cd99ea79dd8b5df7af7b70fa27a7a48b427e58e Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Fri, 29 May 2020 11:10:19 +0000 Subject: [PATCH] [TD-424] add audit user --- src/client/src/tscSQLParser.c | 2 ++ src/inc/taoserror.h | 3 ++- src/modules/monitor/src/monitorSystem.c | 14 ++++++++++- src/rpc/src/tstring.c | 1 + src/system/detail/inc/mgmt.h | 4 +++- src/system/detail/src/mgmtShell.c | 32 ++++++++++++++++++++++++- src/system/detail/src/mgmtUser.c | 4 ++++ 7 files changed, 56 insertions(+), 4 deletions(-) diff --git a/src/client/src/tscSQLParser.c b/src/client/src/tscSQLParser.c index b5c07ba0f4..c57071d9b4 100644 --- a/src/client/src/tscSQLParser.c +++ b/src/client/src/tscSQLParser.c @@ -442,6 +442,8 @@ int32_t tscToSQLCmd(SSqlObj* pSql, struct SSqlInfo* pInfo) { pCmd->count = 2; } else if (strncasecmp(pPrivilege->z, "write", 5) == 0 && pPrivilege->n == 5) { pCmd->count = 3; + } else if (strncasecmp(pPrivilege->z, "audit", 5) == 0 && pPrivilege->n == 5) { + pCmd->count = 4; } else { return invalidSqlErrMsg(tscGetErrorMsgPayload(pCmd), msg5); } diff --git a/src/inc/taoserror.h b/src/inc/taoserror.h index 197149d220..925fe8c6ec 100644 --- a/src/inc/taoserror.h +++ b/src/inc/taoserror.h @@ -140,8 +140,9 @@ extern "C" { #define TSDB_CODE_QUERY_CACHE_ERASED 119 #define TSDB_CODE_AUTH_BANNED_PERIOD 120 #define TSDB_CODE_IP_WHITELIST_FILTERED 121 +#define TSDB_CODE_NOT_AUDIT_USER 122 -#define TSDB_CODE_MAX_ERROR_CODE 122 +#define TSDB_CODE_MAX_ERROR_CODE 123 #ifdef __cplusplus } diff --git a/src/modules/monitor/src/monitorSystem.c b/src/modules/monitor/src/monitorSystem.c index 34a9efa599..53bf210ed8 100644 --- a/src/modules/monitor/src/monitorSystem.c +++ b/src/modules/monitor/src/monitorSystem.c @@ -28,6 +28,7 @@ #define SQL_LENGTH 1024 #define LOG_LEN_STR 80 +#define LOG_RESULT_LEN 10 #define IP_LEN_STR 15 #define CHECK_INTERVAL 1000 @@ -39,6 +40,8 @@ typedef enum { MONITOR_CMD_CREATE_TB_DN, MONITOR_CMD_CREATE_TB_ACCT_ROOT, MONITOR_CMD_CREATE_TB_SLOWQUERY, + MONITOR_CMD_CREATE_DB_AUDIT, + MONITOR_CMD_CREATE_TB_AUDIT, MONITOR_CMD_MAX } MonitorCommand; @@ -194,9 +197,18 @@ void dnodeBuildMonitorSql(char *sql, int cmd) { "create table if not exists %s.log(ts timestamp, level tinyint, " "content binary(%d), ipaddr binary(%d))", tsMonitorDbName, LOG_LEN_STR, IP_LEN_STR); + } else if (cmd == MONITOR_CMD_CREATE_DB_AUDIT) { + char * auditDBname = "audit"; + snprintf(sql, SQL_LENGTH, + "create database if not exists %s replica 1 days 10 keep 3650 rows 1024 cache 2048", + auditDBname); + } else if (cmd == MONITOR_CMD_CREATE_TB_AUDIT) { + snprintf(sql, SQL_LENGTH, + "create table if not exists audit.audit(ts timestamp, level tinyint, " + "dbuser binary(%d), result binary(%d), ipaddr binary(%d), content binary(%d))", + TSDB_USER_LEN, LOG_RESULT_LEN, IP_LEN_STR, LOG_LEN_STR); } - sql[SQL_LENGTH] = 0; } void monitorInitDatabase() { diff --git a/src/rpc/src/tstring.c b/src/rpc/src/tstring.c index 4aabae0849..5af895f582 100644 --- a/src/rpc/src/tstring.c +++ b/src/rpc/src/tstring.c @@ -246,4 +246,5 @@ char *tsError[] = {"success", "client query cache erased", // 119 "too many authentication failed, try 10 minutes later", //120 "ip not in white list , connection denied", //121 + "not audit user, can not access audit database" //122 }; diff --git a/src/system/detail/inc/mgmt.h b/src/system/detail/inc/mgmt.h index 424b65a0dd..3e0175852c 100644 --- a/src/system/detail/inc/mgmt.h +++ b/src/system/detail/inc/mgmt.h @@ -174,6 +174,7 @@ typedef struct _user_obj { int64_t createdTime; char superAuth : 1; char writeAuth : 1; + char auditAuth : 1; char reserved[16]; char updateEnd[1]; struct _user_obj *prev, *next; @@ -223,9 +224,10 @@ typedef struct _connObj { uint64_t stime; // login time char superAuth : 1; // super user flag char writeAuth : 1; // write flag + char auditAuth : 1; char killConnection : 1; // kill the connection flag uint8_t usePublicIp : 1; // if the connection request is publicIp - uint8_t reserved : 4; + uint8_t reserved : 3; uint32_t queryId; // query ID to be killed uint32_t streamId; // stream ID to be killed uint32_t ip; // shell IP diff --git a/src/system/detail/src/mgmtShell.c b/src/system/detail/src/mgmtShell.c index d99b729aa6..edc05dd71c 100644 --- a/src/system/detail/src/mgmtShell.c +++ b/src/system/detail/src/mgmtShell.c @@ -199,6 +199,26 @@ int mgmtProcessMeterMetaMsg(char *pMsg, int msgLen, SConnObj *pConn) { goto _exit_code; } + char db[TSDB_DB_NAME_LEN + 1] = {0}; + extractDBName(pInfo->meterId, db); + if(strncasecmp(db,"audit",5) == 0 && pConn->pUser->auditAuth == 0 && pConn->pUser->superAuth == 0) { + if ((pStart = mgmtAllocMsg(pConn, size, &pMsg, &pRsp)) == NULL) { + taosSendSimpleRsp(pConn->thandle, TSDB_MSG_TYPE_METERINFO_RSP, TSDB_CODE_SERV_OUT_OF_MEMORY); + return 0; + } + pRsp->code = TSDB_CODE_NOT_AUDIT_USER; + pMsg++; + goto _exit_code; + } + if(strncasecmp(db,"audit",5) != 0 && pConn->pUser->auditAuth != 0 && pConn->pUser->writeAuth ==0 ){ + if ((pStart = mgmtAllocMsg(pConn, size, &pMsg, &pRsp)) == NULL) { + taosSendSimpleRsp(pConn->thandle, TSDB_MSG_TYPE_METERINFO_RSP, TSDB_CODE_SERV_OUT_OF_MEMORY); + return 0; + } + pRsp->code = TSDB_CODE_NO_READ_ACCESS; + pMsg++; + goto _exit_code; + } pMeterObj = mgmtGetMeter(pInfo->meterId); // on demand create table from super table if meter does not exists @@ -766,12 +786,19 @@ int mgmtProcessAlterUserMsg(char *pMsg, int msgLen, SConnObj *pConn) { if (pAlter->privilege == 2) { // read pUser->superAuth = 0; pUser->writeAuth = 0; + pUser->auditAuth = 0; } if (pAlter->privilege == 3) { // write pUser->superAuth = 0; pUser->writeAuth = 1; + pUser->auditAuth = 0; } - + if (pAlter->privilege == 4) { // audit + pUser->superAuth = 0; + pUser->writeAuth = 0; + pUser->auditAuth = 1; + } + printf("user right: s %d, w %d, a %d \r\n ",pUser->superAuth,pUser->writeAuth, pUser->auditAuth); code = mgmtUpdateUser(pUser); mLPrint("user:%s privilege is altered by %s, code:%d", pAlter->user, pConn->pUser->user, code); } else { @@ -1244,11 +1271,14 @@ void mgmtEstablishConn(SConnObj *pConn) { if (strcmp(pConn->pUser->user, "root") == 0) { pConn->superAuth = 1; pConn->writeAuth = 1; + pConn->auditAuth = 1; } else { pConn->superAuth = pConn->pUser->superAuth; pConn->writeAuth = pConn->pUser->writeAuth; + pConn->auditAuth = pConn->pUser->auditAuth; if (pConn->superAuth) { pConn->writeAuth = 1; + pConn->auditAuth = 1; } } diff --git a/src/system/detail/src/mgmtUser.c b/src/system/detail/src/mgmtUser.c index b854a62630..1596ad6f1f 100644 --- a/src/system/detail/src/mgmtUser.c +++ b/src/system/detail/src/mgmtUser.c @@ -128,8 +128,10 @@ int mgmtCreateUser(SAcctObj *pAcct, char *name, char *pass) { pUser->createdTime = taosGetTimestampMs(); pUser->superAuth = 0; pUser->writeAuth = 1; + pUser->auditAuth = 0; if (strcmp(pUser->user, "root") == 0 || strcmp(pUser->user, pUser->acct) == 0) { pUser->superAuth = 1; + pUser->auditAuth = 1; } code = TSDB_CODE_SUCCESS; @@ -227,6 +229,8 @@ int mgmtRetrieveUsers(SShowObj *pShow, char *data, int rows, SConnObj *pConn) { strcpy(pWrite, "super"); } else if (pUser->writeAuth) { strcpy(pWrite, "write"); + } else if (pUser->auditAuth) { + strcpy(pWrite, "audit"); } else { strcpy(pWrite, "read"); } -- GitLab