[TD-424] add audit user

0cd99ea7 · Tao Liu · 44e4b59e · 0cd99ea7 · 0cd99ea7 · 0cd99ea7
7 changed file
--- a/src/client/src/tscSQLParser.c
+++ b/src/client/src/tscSQLParser.c
@@ -442,6 +442,8 @@ int32_t tscToSQLCmd(SSqlObj* pSql, struct SSqlInfo* pInfo) {
            pCmd->count = 2;
          } else if (strncasecmp(pPrivilege->z, "write", 5) == 0 && pPrivilege->n == 5) {
            pCmd->count = 3;
+          } else if (strncasecmp(pPrivilege->z, "audit", 5) == 0 && pPrivilege->n == 5) {
+            pCmd->count = 4;
          } else {
            return invalidSqlErrMsg(tscGetErrorMsgPayload(pCmd), msg5);
          }

--- a/src/inc/taoserror.h
+++ b/src/inc/taoserror.h
@@ -140,8 +140,9 @@ extern "C" {
 #define TSDB_CODE_QUERY_CACHE_ERASED         119
 #define TSDB_CODE_AUTH_BANNED_PERIOD         120
 #define TSDB_CODE_IP_WHITELIST_FILTERED      121
+#define TSDB_CODE_NOT_AUDIT_USER             122
-#define TSDB_CODE_MAX_ERROR_CODE             122
+#define TSDB_CODE_MAX_ERROR_CODE             123
 #ifdef __cplusplus
 }

--- a/src/modules/monitor/src/monitorSystem.c
+++ b/src/modules/monitor/src/monitorSystem.c
@@ -28,6 +28,7 @@
 #define SQL_LENGTH     1024
 #define LOG_LEN_STR    80
+#define LOG_RESULT_LEN 10
 #define IP_LEN_STR     15
 #define CHECK_INTERVAL 1000
@@ -39,6 +40,8 @@ typedef enum {
  MONITOR_CMD_CREATE_TB_DN,
  MONITOR_CMD_CREATE_TB_ACCT_ROOT,
  MONITOR_CMD_CREATE_TB_SLOWQUERY,
+  MONITOR_CMD_CREATE_DB_AUDIT,
+  MONITOR_CMD_CREATE_TB_AUDIT,
  MONITOR_CMD_MAX
 } MonitorCommand;
@@ -194,9 +197,18 @@ void dnodeBuildMonitorSql(char *sql, int cmd) {
             "create table if not exists %s.log(ts timestamp, level tinyint, "
             "content binary(%d), ipaddr binary(%d))",
             tsMonitorDbName, LOG_LEN_STR, IP_LEN_STR);
+  } else if (cmd == MONITOR_CMD_CREATE_DB_AUDIT) {
+    char * auditDBname = "audit";
+    snprintf(sql, SQL_LENGTH,
+             "create database if not exists %s replica 1 days 10 keep 3650 rows 1024 cache 2048",
+            auditDBname);    
+  } else if (cmd == MONITOR_CMD_CREATE_TB_AUDIT) {
+    snprintf(sql, SQL_LENGTH,
+             "create table if not exists audit.audit(ts timestamp, level tinyint, "
+             "dbuser binary(%d), result binary(%d), ipaddr binary(%d), content binary(%d))",
+             TSDB_USER_LEN, LOG_RESULT_LEN, IP_LEN_STR, LOG_LEN_STR);    
  }
-  sql[SQL_LENGTH] = 0;
 }
 void monitorInitDatabase() {

--- a/src/rpc/src/tstring.c
+++ b/src/rpc/src/tstring.c
@@ -246,4 +246,5 @@ char *tsError[] = {"success",
                   "client query cache erased",     // 119
                   "too many authentication failed, try 10 minutes later",   //120                   
                   "ip not in white list , connection denied",   //121
+                   "not audit user, can not access audit database" //122
 };
--- a/src/system/detail/inc/mgmt.h
+++ b/src/system/detail/inc/mgmt.h
@@ -174,6 +174,7 @@ typedef struct _user_obj {
  int64_t           createdTime;
  char              superAuth : 1;
  char              writeAuth : 1;
+  char              auditAuth : 1;
  char              reserved[16];
  char              updateEnd[1];
  struct _user_obj *prev, *next;
@@ -223,9 +224,10 @@ typedef struct _connObj {
  uint64_t         stime;               // login time
  char             superAuth : 1;       // super user flag
  char             writeAuth : 1;       // write flag
+  char             auditAuth : 1;
  char             killConnection : 1;  // kill the connection flag
  uint8_t          usePublicIp : 1;     // if the connection request is publicIp
-  uint8_t          reserved : 4;
+  uint8_t          reserved : 3;
  uint32_t         queryId;             // query ID to be killed
  uint32_t         streamId;            // stream ID to be killed
  uint32_t         ip;                  // shell IP

--- a/src/system/detail/src/mgmtShell.c
+++ b/src/system/detail/src/mgmtShell.c
@@ -199,6 +199,26 @@ int mgmtProcessMeterMetaMsg(char *pMsg, int msgLen, SConnObj *pConn) {
    goto _exit_code;
  }
+  char db[TSDB_DB_NAME_LEN + 1] = {0};
+  extractDBName(pInfo->meterId, db);
+  if(strncasecmp(db,"audit",5) == 0 && pConn->pUser->auditAuth == 0 && pConn->pUser->superAuth == 0) {
+    if ((pStart = mgmtAllocMsg(pConn, size, &pMsg, &pRsp)) == NULL) {
+      taosSendSimpleRsp(pConn->thandle, TSDB_MSG_TYPE_METERINFO_RSP, TSDB_CODE_SERV_OUT_OF_MEMORY);
+	    return 0;
+    }
+    pRsp->code = TSDB_CODE_NOT_AUDIT_USER;
+    pMsg++;
+    goto _exit_code;
+  }
+  if(strncasecmp(db,"audit",5) != 0 && pConn->pUser->auditAuth != 0 && pConn->pUser->writeAuth ==0 ){
+    if ((pStart = mgmtAllocMsg(pConn, size, &pMsg, &pRsp)) == NULL) {
+      taosSendSimpleRsp(pConn->thandle, TSDB_MSG_TYPE_METERINFO_RSP, TSDB_CODE_SERV_OUT_OF_MEMORY);
+	    return 0;
+    }
+    pRsp->code = TSDB_CODE_NO_READ_ACCESS;
+    pMsg++;
+    goto _exit_code;
+  }
  pMeterObj = mgmtGetMeter(pInfo->meterId);
  // on demand create table from super table if meter does not exists
@@ -766,12 +786,19 @@ int mgmtProcessAlterUserMsg(char *pMsg, int msgLen, SConnObj *pConn) {
      if (pAlter->privilege == 2) {  // read
        pUser->superAuth = 0;
        pUser->writeAuth = 0;
+        pUser->auditAuth = 0;
      }
      if (pAlter->privilege == 3) {  // write
        pUser->superAuth = 0;
        pUser->writeAuth = 1;
+        pUser->auditAuth = 0;
      }
+      if (pAlter->privilege == 4) {  // audit
+        pUser->superAuth = 0;
+        pUser->writeAuth = 0;
+        pUser->auditAuth = 1;
+      }
+      printf("user right: s %d, w %d, a %d \r\n ",pUser->superAuth,pUser->writeAuth, pUser->auditAuth);
      code = mgmtUpdateUser(pUser);
      mLPrint("user:%s privilege is altered by %s, code:%d", pAlter->user, pConn->pUser->user, code);
    } else {
@@ -1244,11 +1271,14 @@ void mgmtEstablishConn(SConnObj *pConn) {
  if (strcmp(pConn->pUser->user, "root") == 0) {
    pConn->superAuth = 1;
    pConn->writeAuth = 1;
+    pConn->auditAuth = 1;
  } else {
    pConn->superAuth = pConn->pUser->superAuth;
    pConn->writeAuth = pConn->pUser->writeAuth;
+    pConn->auditAuth = pConn->pUser->auditAuth;
    if (pConn->superAuth) {
      pConn->writeAuth = 1;
+      pConn->auditAuth = 1;
    }
  }

--- a/src/system/detail/src/mgmtUser.c
+++ b/src/system/detail/src/mgmtUser.c
@@ -128,8 +128,10 @@ int mgmtCreateUser(SAcctObj *pAcct, char *name, char *pass) {
  pUser->createdTime = taosGetTimestampMs();
  pUser->superAuth = 0;
  pUser->writeAuth = 1;
+  pUser->auditAuth = 0;
  if (strcmp(pUser->user, "root") == 0 || strcmp(pUser->user, pUser->acct) == 0) {
    pUser->superAuth = 1;
+    pUser->auditAuth = 1;
  }
  code = TSDB_CODE_SUCCESS;
@@ -227,6 +229,8 @@ int mgmtRetrieveUsers(SShowObj *pShow, char *data, int rows, SConnObj *pConn) {
      strcpy(pWrite, "super");
    } else if (pUser->writeAuth) {
      strcpy(pWrite, "write");
+    } else if (pUser->auditAuth) {
+      strcpy(pWrite, "audit");
    } else {
      strcpy(pWrite, "read");
    }