提交 e55c1cfb 编写于 作者: B bx0 提交者: LINGuanRen

Shield sensitive information in sql_audit.

上级 c4933ab1
......@@ -118,7 +118,7 @@ void ObMySQLRequestManager::destroy()
*11.tenant_name varchar
*/
int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record)
int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record, bool is_sensitive)
{
int ret = OB_SUCCESS;
if (!inited_) {
......@@ -199,7 +199,7 @@ int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record)
}
// push into queue
if (OB_SUCC(ret)) {
if (OB_SUCC(ret) && !is_sensitive) {
int64_t req_id = 0;
if (OB_FAIL(queue_.push(record, req_id))) {
if (REACH_TIME_INTERVAL(2 * 1000 * 1000)) {
......
......@@ -103,7 +103,7 @@ public:
return request_id_;
}
int record_request(const ObAuditRecordData& audit_record);
int record_request(const ObAuditRecordData& audit_record, bool is_sensitive = false);
int64_t get_start_idx() const
{
......
......@@ -525,7 +525,7 @@ int ObSql::fill_result_set(const ObPsStmtId stmt_id, const ObPsStmtInfo& stmt_in
}
int ObSql::do_add_ps_cache(const ObString& sql, int64_t param_cnt, ObSchemaGetterGuard& schema_guard,
stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql)
stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql, bool is_sensitive_sql)
{
int ret = OB_SUCCESS;
ObSQLSessionInfo& session = result.get_session();
......@@ -549,6 +549,9 @@ int ObSql::do_add_ps_cache(const ObString& sql, int64_t param_cnt, ObSchemaGette
ret = OB_ERR_UNEXPECTED;
LOG_WARN("stmt_item or stmt_info is NULL", K(ret), KP(ps_stmt_item), KP(ref_stmt_info));
}
if (NULL != ref_stmt_info) {
ref_stmt_info->set_is_sensitive_sql(is_sensitive_sql);
}
// add session info
if (OB_SUCC(ret)) {
ObPsStmtId inner_stmt_id = ps_stmt_item->get_ps_stmt_id();
......@@ -643,7 +646,8 @@ int ObSql::do_real_prepare(const ObString& sql, ObSqlCtx& context, ObResultSet&
LOG_INFO("generate new stmt", K(param_cnt), K(stmt_type), K(normalized_sql), K(sql));
}
if (OB_SUCC(ret)) {
if (OB_FAIL(do_add_ps_cache(normalized_sql, param_cnt, *context.schema_guard_, stmt_type, result, is_inner_sql))) {
if (OB_FAIL(do_add_ps_cache(normalized_sql, param_cnt, *context.schema_guard_, stmt_type,
result, is_inner_sql, context.is_sensitive_))) {
LOG_WARN("add to ps plan cache failed", K(ret));
}
}
......@@ -744,6 +748,8 @@ int ObSql::handle_ps_prepare(const ObString& stmt, ObSqlCtx& context, ObResultSe
if (OB_FAIL(do_real_prepare(stmt, context, result, is_inner_sql))) {
LOG_WARN("do_real_prepare failed", K(ret));
}
} else if (OB_SUCC(ret) && NULL != stmt_info) {
context.is_sensitive_ = stmt_info->get_is_sensitive_sql();
}
if (OB_SUCC(ret)) {
if (false == need_do_real_prepare) {
......@@ -1395,6 +1401,23 @@ int ObSql::generate_stmt(ParseResult& parse_result, ObPlanCacheCtx* pc_ctx, ObSq
NG_TRACE(resolve_begin);
ret = resolver.resolve(ObResolver::IS_NOT_PREPARED_STMT, *parse_result.result_tree_->children_[0], stmt);
ObItemType resolve_type = parse_result.result_tree_->children_[0]->type_;
switch (resolve_type) {
case T_CREATE_USER:
case T_SET_PASSWORD:
case T_GRANT:
case T_CREATE_ROLE:
case T_ALTER_ROLE:
case T_SET_ROLE_PASSWORD:
case T_SYSTEM_GRANT:
case T_GRANT_ROLE: {
context.is_sensitive_ = true;
break;
}
default: {
break;
}
}
// set const param constraint after resolving
context.all_plan_const_param_constraints_ = &(resolver_ctx.query_ctx_->all_plan_const_param_constraints_);
context.all_possible_const_param_constraints_ = &(resolver_ctx.query_ctx_->all_possible_const_param_constraints_);
......
......@@ -209,7 +209,7 @@ private:
int do_real_prepare(const ObString& stmt, ObSqlCtx& context, ObResultSet& result, bool is_inner_sql);
int do_add_ps_cache(const ObString& sql, int64_t param_cnt, share::schema::ObSchemaGetterGuard& schema_guard,
stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql);
stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql, bool is_sensitive_sql);
int fill_result_set(ObResultSet& result, ObSqlCtx* context, const bool is_ps_mode, ObStmt& stmt);
......
......@@ -243,7 +243,8 @@ ObSqlCtx::ObSqlCtx()
is_ddl_from_primary_(false),
cur_stmt_(NULL),
can_reroute_sql_(false),
reroute_info_()
reroute_info_(),
is_sensitive_(false)
{
sql_id_[0] = '\0';
sql_id_[common::OB_MAX_SQL_ID_LENGTH] = '\0';
......@@ -287,6 +288,7 @@ void ObSqlCtx::reset()
is_ddl_from_primary_ = false;
can_reroute_sql_ = false;
reroute_info_.reset();
is_sensitive_ = false;
clear();
}
......
......@@ -391,6 +391,8 @@ public:
bool can_reroute_sql_;
share::ObFeedbackRerouteInfo reroute_info_;
bool is_sensitive_; // Whether it contains sensitive information.
// If so, it will not be recorded in sql audit.
common::ObFixedArray<int64_t, common::ObIAllocator> multi_stmt_rowkey_pos_;
};
......
......@@ -3848,7 +3848,9 @@ int ObSQLUtils::handle_audit_record(
} else {
ObAuditRecordData audit_record = session.get_final_audit_record(exec_mode);
audit_record.sched_info_ = exec_ctx.get_sched_info();
if (OB_FAIL(req_manager->record_request(audit_record))) {
bool is_sensitive = (NULL != exec_ctx.get_sql_ctx()) ?
exec_ctx.get_sql_ctx()->is_sensitive_ : true;
if (OB_FAIL(req_manager->record_request(audit_record, is_sensitive))) {
if (OB_SIZE_OVERFLOW == ret || OB_ALLOCATE_MEMORY_FAILED == ret) {
LOG_DEBUG("cannot allocate mem for record", K(ret));
ret = OB_SUCCESS;
......
......@@ -266,7 +266,8 @@ ObPsStmtInfo::ObPsStmtInfo(ObIAllocator* inner_allocator)
ps_item_(NULL),
is_expired_evicted_(false),
allocator_(inner_allocator),
external_allocator_(NULL)
external_allocator_(NULL),
is_sensitive_sql_(false)
{}
......@@ -289,7 +290,8 @@ ObPsStmtInfo::ObPsStmtInfo(ObIAllocator* inner_allocator, ObIAllocator* external
is_expired_(false),
is_expired_evicted_(false),
allocator_(inner_allocator),
external_allocator_(external_allocator)
external_allocator_(external_allocator),
is_sensitive_sql_(false)
{}
bool ObPsStmtInfo::is_valid() const
......@@ -308,6 +310,7 @@ int ObPsStmtInfo::deep_copy(const ObPsStmtInfo& other)
ps_stmt_checksum_ = other.ps_stmt_checksum_;
db_id_ = other.db_id_;
question_mark_count_ = other.question_mark_count_;
is_sensitive_sql_ = other.is_sensitive_sql_;
can_direct_use_param_ = other.can_direct_use_param();
has_complex_argument_ = other.has_complex_argument();
item_and_info_size_ = other.item_and_info_size_;
......
......@@ -242,6 +242,14 @@ public:
{
return ps_stmt_checksum_;
}
inline void set_is_sensitive_sql(const bool is_sensitive_sql)
{
is_sensitive_sql_ = is_sensitive_sql;
}
inline bool get_is_sensitive_sql() const
{
return is_sensitive_sql_;
}
bool is_valid() const;
bool check_erase_inc_ref_count();
......@@ -354,6 +362,8 @@ private:
common::ObIAllocator* allocator_;
// Point to inner_allocator_ in ObPsPlancache, used to release the memory of the entire ObPsStmtItem
common::ObIAllocator* external_allocator_;
// Whether it contains sensitive information. If so, it will not be recorded in sql audit.
bool is_sensitive_sql_;
};
struct TypeInfo {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册