From e55c1cfb1bfeb09d711b532d2337d0cb3cc8abec Mon Sep 17 00:00:00 2001
From: bx0 <bx0@oceanbase.com>
Date: Tue, 2 Nov 2021 14:14:13 +0800
Subject: [PATCH] Shield sensitive information in sql_audit.

---
 .../mysql/ob_mysql_request_manager.cpp        |  4 +--
 src/observer/mysql/ob_mysql_request_manager.h |  2 +-
 src/sql/ob_sql.cpp                            | 27 +++++++++++++++++--
 src/sql/ob_sql.h                              |  2 +-
 src/sql/ob_sql_context.cpp                    |  4 ++-
 src/sql/ob_sql_context.h                      |  2 ++
 src/sql/ob_sql_utils.cpp                      |  4 ++-
 src/sql/plan_cache/ob_prepare_stmt_struct.cpp |  7 +++--
 src/sql/plan_cache/ob_prepare_stmt_struct.h   | 10 +++++++
 9 files changed, 52 insertions(+), 10 deletions(-)

diff --git a/src/observer/mysql/ob_mysql_request_manager.cpp b/src/observer/mysql/ob_mysql_request_manager.cpp
index 610a89cc5d..9e42521d54 100644
--- a/src/observer/mysql/ob_mysql_request_manager.cpp
+++ b/src/observer/mysql/ob_mysql_request_manager.cpp
@@ -118,7 +118,7 @@ void ObMySQLRequestManager::destroy()
  *11.tenant_name           varchar
  */
 
-int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record)
+int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record, bool is_sensitive)
 {
   int ret = OB_SUCCESS;
   if (!inited_) {
@@ -199,7 +199,7 @@ int ObMySQLRequestManager::record_request(const ObAuditRecordData& audit_record)
       }
 
       // push into queue
-      if (OB_SUCC(ret)) {
+      if (OB_SUCC(ret) && !is_sensitive) {
         int64_t req_id = 0;
         if (OB_FAIL(queue_.push(record, req_id))) {
           if (REACH_TIME_INTERVAL(2 * 1000 * 1000)) {
diff --git a/src/observer/mysql/ob_mysql_request_manager.h b/src/observer/mysql/ob_mysql_request_manager.h
index 29a88d7ddd..7fd29fa096 100644
--- a/src/observer/mysql/ob_mysql_request_manager.h
+++ b/src/observer/mysql/ob_mysql_request_manager.h
@@ -103,7 +103,7 @@ public:
     return request_id_;
   }
 
-  int record_request(const ObAuditRecordData& audit_record);
+  int record_request(const ObAuditRecordData& audit_record, bool is_sensitive = false);
 
   int64_t get_start_idx() const
   {
diff --git a/src/sql/ob_sql.cpp b/src/sql/ob_sql.cpp
index fbe2761a18..1a30a4129c 100644
--- a/src/sql/ob_sql.cpp
+++ b/src/sql/ob_sql.cpp
@@ -525,7 +525,7 @@ int ObSql::fill_result_set(const ObPsStmtId stmt_id, const ObPsStmtInfo& stmt_in
 }
 
 int ObSql::do_add_ps_cache(const ObString& sql, int64_t param_cnt, ObSchemaGetterGuard& schema_guard,
-    stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql)
+    stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql, bool is_sensitive_sql)
 {
   int ret = OB_SUCCESS;
   ObSQLSessionInfo& session = result.get_session();
@@ -549,6 +549,9 @@ int ObSql::do_add_ps_cache(const ObString& sql, int64_t param_cnt, ObSchemaGette
       ret = OB_ERR_UNEXPECTED;
       LOG_WARN("stmt_item or stmt_info is NULL", K(ret), KP(ps_stmt_item), KP(ref_stmt_info));
     }
+    if (NULL != ref_stmt_info) {
+      ref_stmt_info->set_is_sensitive_sql(is_sensitive_sql);
+    }
     // add session info
     if (OB_SUCC(ret)) {
       ObPsStmtId inner_stmt_id = ps_stmt_item->get_ps_stmt_id();
@@ -643,7 +646,8 @@ int ObSql::do_real_prepare(const ObString& sql, ObSqlCtx& context, ObResultSet&
     LOG_INFO("generate new stmt", K(param_cnt), K(stmt_type), K(normalized_sql), K(sql));
   }
   if (OB_SUCC(ret)) {
-    if (OB_FAIL(do_add_ps_cache(normalized_sql, param_cnt, *context.schema_guard_, stmt_type, result, is_inner_sql))) {
+    if (OB_FAIL(do_add_ps_cache(normalized_sql, param_cnt, *context.schema_guard_, stmt_type,
+                  result, is_inner_sql, context.is_sensitive_))) {
       LOG_WARN("add to ps plan cache failed", K(ret));
     }
   }
@@ -744,6 +748,8 @@ int ObSql::handle_ps_prepare(const ObString& stmt, ObSqlCtx& context, ObResultSe
         if (OB_FAIL(do_real_prepare(stmt, context, result, is_inner_sql))) {
           LOG_WARN("do_real_prepare failed", K(ret));
         }
+      } else if (OB_SUCC(ret) && NULL != stmt_info) {
+        context.is_sensitive_ = stmt_info->get_is_sensitive_sql();
       }
       if (OB_SUCC(ret)) {
         if (false == need_do_real_prepare) {
@@ -1395,6 +1401,23 @@ int ObSql::generate_stmt(ParseResult& parse_result, ObPlanCacheCtx* pc_ctx, ObSq
     NG_TRACE(resolve_begin);
 
     ret = resolver.resolve(ObResolver::IS_NOT_PREPARED_STMT, *parse_result.result_tree_->children_[0], stmt);
+    ObItemType resolve_type = parse_result.result_tree_->children_[0]->type_;
+    switch (resolve_type) {
+      case T_CREATE_USER:
+      case T_SET_PASSWORD:
+      case T_GRANT:
+      case T_CREATE_ROLE:
+      case T_ALTER_ROLE:
+      case T_SET_ROLE_PASSWORD:
+      case T_SYSTEM_GRANT:
+      case T_GRANT_ROLE: {
+        context.is_sensitive_ = true;
+        break;
+      }
+      default: {
+        break;
+      }
+    }
     // set const param constraint after resolving
     context.all_plan_const_param_constraints_ = &(resolver_ctx.query_ctx_->all_plan_const_param_constraints_);
     context.all_possible_const_param_constraints_ = &(resolver_ctx.query_ctx_->all_possible_const_param_constraints_);
diff --git a/src/sql/ob_sql.h b/src/sql/ob_sql.h
index 67da45fadd..904403c0e2 100644
--- a/src/sql/ob_sql.h
+++ b/src/sql/ob_sql.h
@@ -209,7 +209,7 @@ private:
   int do_real_prepare(const ObString& stmt, ObSqlCtx& context, ObResultSet& result, bool is_inner_sql);
 
   int do_add_ps_cache(const ObString& sql, int64_t param_cnt, share::schema::ObSchemaGetterGuard& schema_guard,
-      stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql);
+      stmt::StmtType stmt_type, ObResultSet& result, bool is_inner_sql, bool is_sensitive_sql);
 
   int fill_result_set(ObResultSet& result, ObSqlCtx* context, const bool is_ps_mode, ObStmt& stmt);
 
diff --git a/src/sql/ob_sql_context.cpp b/src/sql/ob_sql_context.cpp
index 4ed18da990..52e4d140b9 100644
--- a/src/sql/ob_sql_context.cpp
+++ b/src/sql/ob_sql_context.cpp
@@ -243,7 +243,8 @@ ObSqlCtx::ObSqlCtx()
       is_ddl_from_primary_(false),
       cur_stmt_(NULL),
       can_reroute_sql_(false),
-      reroute_info_()
+      reroute_info_(),
+      is_sensitive_(false)
 {
   sql_id_[0] = '\0';
   sql_id_[common::OB_MAX_SQL_ID_LENGTH] = '\0';
@@ -287,6 +288,7 @@ void ObSqlCtx::reset()
   is_ddl_from_primary_ = false;
   can_reroute_sql_ = false;
   reroute_info_.reset();
+  is_sensitive_ = false;
   clear();
 }
 
diff --git a/src/sql/ob_sql_context.h b/src/sql/ob_sql_context.h
index 190fc01277..abe54f6d68 100644
--- a/src/sql/ob_sql_context.h
+++ b/src/sql/ob_sql_context.h
@@ -391,6 +391,8 @@ public:
 
   bool can_reroute_sql_;
   share::ObFeedbackRerouteInfo reroute_info_;
+  bool is_sensitive_;     // Whether it contains sensitive information.
+                          // If so, it will not be recorded in sql audit.
   common::ObFixedArray<int64_t, common::ObIAllocator> multi_stmt_rowkey_pos_;
 };
 
diff --git a/src/sql/ob_sql_utils.cpp b/src/sql/ob_sql_utils.cpp
index a27c1e37ae..639250ca10 100644
--- a/src/sql/ob_sql_utils.cpp
+++ b/src/sql/ob_sql_utils.cpp
@@ -3848,7 +3848,9 @@ int ObSQLUtils::handle_audit_record(
         } else {
           ObAuditRecordData audit_record = session.get_final_audit_record(exec_mode);
           audit_record.sched_info_ = exec_ctx.get_sched_info();
-          if (OB_FAIL(req_manager->record_request(audit_record))) {
+          bool is_sensitive = (NULL != exec_ctx.get_sql_ctx()) ?
+                              exec_ctx.get_sql_ctx()->is_sensitive_ : true;
+          if (OB_FAIL(req_manager->record_request(audit_record, is_sensitive))) {
             if (OB_SIZE_OVERFLOW == ret || OB_ALLOCATE_MEMORY_FAILED == ret) {
               LOG_DEBUG("cannot allocate mem for record", K(ret));
               ret = OB_SUCCESS;
diff --git a/src/sql/plan_cache/ob_prepare_stmt_struct.cpp b/src/sql/plan_cache/ob_prepare_stmt_struct.cpp
index 6ce347d703..bf878edbd2 100644
--- a/src/sql/plan_cache/ob_prepare_stmt_struct.cpp
+++ b/src/sql/plan_cache/ob_prepare_stmt_struct.cpp
@@ -266,7 +266,8 @@ ObPsStmtInfo::ObPsStmtInfo(ObIAllocator* inner_allocator)
       ps_item_(NULL),
       is_expired_evicted_(false), 
       allocator_(inner_allocator),
-      external_allocator_(NULL)
+      external_allocator_(NULL),
+      is_sensitive_sql_(false)
 
 {}
 
@@ -289,7 +290,8 @@ ObPsStmtInfo::ObPsStmtInfo(ObIAllocator* inner_allocator, ObIAllocator* external
       is_expired_(false),
       is_expired_evicted_(false), 
       allocator_(inner_allocator),
-      external_allocator_(external_allocator)
+      external_allocator_(external_allocator),
+      is_sensitive_sql_(false)
 {}
 
 bool ObPsStmtInfo::is_valid() const
@@ -308,6 +310,7 @@ int ObPsStmtInfo::deep_copy(const ObPsStmtInfo& other)
     ps_stmt_checksum_ = other.ps_stmt_checksum_;
     db_id_ = other.db_id_;
     question_mark_count_ = other.question_mark_count_;
+    is_sensitive_sql_ = other.is_sensitive_sql_;
     can_direct_use_param_ = other.can_direct_use_param();
     has_complex_argument_ = other.has_complex_argument();
     item_and_info_size_ = other.item_and_info_size_;
diff --git a/src/sql/plan_cache/ob_prepare_stmt_struct.h b/src/sql/plan_cache/ob_prepare_stmt_struct.h
index 2d2386d7aa..68e3ff630a 100644
--- a/src/sql/plan_cache/ob_prepare_stmt_struct.h
+++ b/src/sql/plan_cache/ob_prepare_stmt_struct.h
@@ -242,6 +242,14 @@ public:
   {
     return ps_stmt_checksum_;
   }
+  inline void set_is_sensitive_sql(const bool is_sensitive_sql)
+  {
+    is_sensitive_sql_ = is_sensitive_sql;
+  }
+  inline bool get_is_sensitive_sql() const
+  {
+    return is_sensitive_sql_;
+  }
 
   bool is_valid() const;
   bool check_erase_inc_ref_count();
@@ -354,6 +362,8 @@ private:
   common::ObIAllocator* allocator_;
   // Point to inner_allocator_ in ObPsPlancache, used to release the memory of the entire ObPsStmtItem
   common::ObIAllocator* external_allocator_;
+  // Whether it contains sensitive information. If so, it will not be recorded in sql audit.
+  bool is_sensitive_sql_;
 };
 
 struct TypeInfo {
-- 
GitLab