List:Internals« Previous MessageNext Message »
From:Sergei Golubchik Date:March 25 2009 6:30pm
Subject:Re: GSOC - WL#2878: Simple data auditing
View as plain text  
Hi, Don!

On Mar 25, Don Pinto wrote:
> Hi Sergei,
> 
> Thanks for your pointer. Since we have some auditing policy
> infrastructure in place, I think it is a good head start for this
> project. I also have a question about the high level design of 2878.
> 
> Looking at the worklog of WL#3771 - high level design notes in forge I
> see the following possible event types :
> 
> * Connection class: connect, login, logout, disconnect, etc.
> * Alter Privilege class: GRANT, REVOKE etc.
> * General Query class

This is, indeed, only design notes. Check the code to see what was
actually implemented (unfortunately, this WL is still in the
"In-Documentation" status, that is it's completed code-wise, but not
documented).
 
> Would it be better to provide further granularity of the auditing.
> Seems like General query class is still very coarse grained and
> definitely lot of workload queries will fall in this category. Is it
> OK to suggest breaking down the general query class into further
> sub-classes such as : database auditing (i.e auditing for the entire
> database), user based auditing (i.e auditing policy applicable to
> particular user), table based auditing (i.e auditing policy applicable
> to particular table object).

1. You certainly can suggest any refinement of the above auditing plugin
   scheme that you need. But

2. The idea was to provide a simple, but powerful API. For example, there
   is no special "security violation" class, but there is "error" class.
   If you want to audit all security violations, you simply hook on
   "error" and ignore all audit evens where error number is not one of
   ER_ACCESS_DENIED_ERROR, ER_DBACCESS_DENIED_ERROR, etc.

   On the other hand, although one can parse sql query text in the
   "general query" class, we certainly don't want to require plugins to
   do the parsing. In this case creating more detailed classes or
   providing more information in the "general query" class is justified.

But anyway, if there's something that your auduting plugin needs and the
server doesn't provide - don't hesitate to tell us about it ;)
 
Regards / Mit vielen GrЭъen,
Sergei

-- 
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@stripped>
 / /|_/ / // /\ \/ /_/ / /__  Principal Software Engineer/Server Architect
/_/  /_/\_, /___/\___\_\___/  Sun Microsystems GmbH, HRB MЭnchen 161028
       <___/                  Sonnenallee 1, 85551 Kirchheim-Heimstetten
GeschДftsfЭhrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin HДring
Thread
Log files created readonlyYuri Dario16 Jan
  • Log files created readonlyMichael Widenius16 Jan
  • Re: GSOC - WL#2878: Simple data auditingSergei Golubchik25 Mar