sql: extend SQL audit logging to "operations run by admin users"

[knz]

Discussed with @aaron-crl and the CC SIAM team:

Once we start pushing users to define custom roles with restricted privileges to do various DBA tasks (principle of least privilege), we expect + want usage of the admin special (superuser) role to diminish.

In a state-of-the-art deployment, this should be so true that any uses of SQL by the admin role should become extremely rare and should be treated as suspicious by security-minded administrator.

Therefore, SQL usage by admin users should become more noticeable.

In the same way that unix system heavily log usage of sudo and su, we should thus build logging of operations performed by users carrying the admin role.

The way we'd introduce this is likely in two phases:

1. in a first phase, we'd start de-emphasizng direct use of the admin role in docs, and add a new cluster setting e.g. security.admin_log.enable which, when enabled, causes all admin operations to be logged.

2. in a second phase, create non-admin special users/roles in new clusters, encourage users to use that instead, and make the logging setting default to true in new clusters.

[knz]

cc @thtruo for prioritization - can you remind us if this was part of our preferred customer's asks and whether this should be included in v21.1?

[thtruo]

Yeah this was a request from at least one of our customers. And FWIW the SRE team would find this useful as well. It sounds like your first phase proposal would go a long way in improving that experience. Getting this into v21.1 would be ideal

[vy-ton]

@solongordon Can we swap this for #57965 as @RichardJCai's starter project? @thtruo shared that this is needed for 21.1 over the other issue

[knz]

Both are important. I would suggest to make Richard aware of both. I can chime in and support with an incidental effort to ensure both get completed.

[knz]

NB: @ajwerner outlined a solution in my strawman approach at #59356. This presumably makes the implementation simple(r).