WL#5571: Audit interface: MYSQL_AUDIT_GENERAL_STATUS event
Affects: Server-5.5 — Status: Complete — Priority: Low
This worklog aims to address two deficiencies in audit interface: 1. Currently there is no way to audit client connections when general log is off. There is no good excuse for this requirement. But there is at least one good reason not to have this requirement: performance. 2. If an error occurs during query execution, MYSQL_AUDIT_GENERAL_ERROR is triggered before transmitting errors. If no error occurred, MYSQL_AUDIT_GENERAL_RESULT event is triggered after transmitting a result set. This is rather inconsistent - there is no way to reliably determine when query processing has actually finished. MYSQL_AUDIT_GENERAL_LOG solves this deficiency, but it requires general log on.
We will add new event within general class: MYSQL_AUDIT_GENERAL_STATUS. Comparing to MYSQL_AUDIT_GENERAL_LOG it will be triggered independently of general log state. Comparing to MYSQL_AUDIT_GENERAL_RESULT it will be triggered independently of diagnostics area state. mysql_event_general::general_command shall always store proper command name as defined in command_name array (see sql_parse.cc). Not error string as with MYSQL_AUDIT_GENERAL_ERROR, not NULL as with MYSQL_AUDIT_GENERAL_RESULT. mysql_event_general::general_error_code shall always store command execution status. 0 - success, non-0 - error code. We will add new audit class for auditing connections: MYSQL_AUDIT_CONNECTION_CLASS. It'll consist of 3 events: MYSQL_AUDIT_CONNECTION_CONNECT, MYSQL_AUDIT_CONNECTION_DISCONNECT, MYSQL_AUDIT_CONNECTION_CHANGE_USER. MYSQL_AUDIT_CONNECTION_CONNECT handler arguments are: event class, event subclass, authentication status, authenticated user name, authorized user name, external user, proxy user, originating host, database name, connection id. MYSQL_AUDIT_CONNECTION_CONNECT is to be triggered after authentication phase is completed. MYSQL_AUDIT_CONNECTION_CHANGE_USER handler arguments are: event class, event subclass, authentication status, authenticated user name, authorized user name, external user, proxy user, originating host, database name, connection id. MYSQL_AUDIT_CONNECTION_CHANGE_USER is to be triggered after COM_CHANGE_USER RPC is completed. MYSQL_AUDIT_CONNECTION_DISCONNECT handler arguments are: event class, event subclass, connection id. MYSQL_AUDIT_CONNECTION_DISCONNECT is to be triggered after connection is terminated.
Copyright (c) 2000, 2017, Oracle Corporation and/or its affiliates. All rights reserved.