Merge cockroachdb#107282

107282: sql: do not audit internal executors r=yuzefovich a=yuzefovich Previously, we were using `planner.isInternalPlanner` to check whether audit logging should be applied, but that field is not set for internal executors, and I believe IE should be excluded from audit too. Epic: None Release note: None Co-authored-by: Yahor Yuzefovich <[email protected]>
knz · Jul 21, 2023 · 73f51aa · 73f51aa
2 parents be21b3b + a3a6dc5
commit 73f51aa
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/pkg/sql/audit_logging.go b/pkg/sql/audit_logging.go
@@ -39,9 +39,9 @@ func (p *planner) maybeAuditSensitiveTableAccessEvent(
 	)
 }
 
-func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context) {
+func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context, execType executorType) {
 	// Avoid doing audit work if not necessary.
-	if p.shouldNotRoleBasedAudit() {
+	if p.shouldNotRoleBasedAudit(execType) {
 		return
 	}
 
@@ -114,10 +114,16 @@ func (p *planner) initializeReducedAuditConfig(ctx context.Context) {
 	p.reducedAuditConfig.AuditSetting = p.AuditConfig().GetMatchingAuditSetting(userRoles, user)
 }
 
-// shouldNotRoleBasedAudit checks if we should do any auditing work for RoleBasedAuditEvents.
-func (p *planner) shouldNotRoleBasedAudit() bool {
+// shouldNotRoleBasedAudit checks if we should do any auditing work for
+// RoleBasedAuditEvents.
+func (p *planner) shouldNotRoleBasedAudit(execType executorType) bool {
 	// Do not do audit work if role-based auditing is not enabled.
-	// Do not emit audit events for reserved users/roles. This does not omit the root user.
+	// Do not emit audit events for reserved users/roles. This does not omit the
+	// root user.
 	// Do not emit audit events for internal planners.
-	return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) || p.User().IsReserved() || p.isInternalPlanner
+	// Do not emit audit events for internal executors.
+	return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) ||
+		p.User().IsReserved() ||
+		p.isInternalPlanner ||
+		execType == executorTypeInternal
 }
diff --git a/pkg/sql/exec_log.go b/pkg/sql/exec_log.go
@@ -131,7 +131,7 @@ func (p *planner) maybeLogStatement(
 	queryStats *topLevelQueryStats,
 	statsCollector sqlstats.StatsCollector,
 ) {
-	p.maybeAuditRoleBasedAuditEvent(ctx)
+	p.maybeAuditRoleBasedAuditEvent(ctx, execType)
 	p.maybeLogStatementInternal(ctx, execType, isCopy, numRetries, txnCounter,
 		rows, bulkJobId, err, queryReceived, hasAdminRoleCache,
 		telemetryLoggingMetrics, stmtFingerprintID, queryStats, statsCollector,