From a3a6dc5ae0fdb176925f9e988f578fbf3f7bfc7b Mon Sep 17 00:00:00 2001 From: Yahor Yuzefovich Date: Thu, 20 Jul 2023 10:22:53 -0700 Subject: [PATCH] sql: do not audit internal executors Previously, we were using `planner.isInternalPlanner` to check whether audit logging should be applied, but that field is not set for internal executors, and I believe IE should be excluded from audit too. Epic: None Release note: None --- pkg/sql/audit_logging.go | 18 ++++++++++++------ pkg/sql/exec_log.go | 2 +- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/pkg/sql/audit_logging.go b/pkg/sql/audit_logging.go index 527917d4de54..24669cc47bbd 100644 --- a/pkg/sql/audit_logging.go +++ b/pkg/sql/audit_logging.go @@ -39,9 +39,9 @@ func (p *planner) maybeAuditSensitiveTableAccessEvent( ) } -func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context) { +func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context, execType executorType) { // Avoid doing audit work if not necessary. - if p.shouldNotRoleBasedAudit() { + if p.shouldNotRoleBasedAudit(execType) { return } @@ -114,10 +114,16 @@ func (p *planner) initializeReducedAuditConfig(ctx context.Context) { p.reducedAuditConfig.AuditSetting = p.AuditConfig().GetMatchingAuditSetting(userRoles, user) } -// shouldNotRoleBasedAudit checks if we should do any auditing work for RoleBasedAuditEvents. -func (p *planner) shouldNotRoleBasedAudit() bool { +// shouldNotRoleBasedAudit checks if we should do any auditing work for +// RoleBasedAuditEvents. +func (p *planner) shouldNotRoleBasedAudit(execType executorType) bool { // Do not do audit work if role-based auditing is not enabled. - // Do not emit audit events for reserved users/roles. This does not omit the root user. + // Do not emit audit events for reserved users/roles. This does not omit the + // root user. // Do not emit audit events for internal planners. - return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) || p.User().IsReserved() || p.isInternalPlanner + // Do not emit audit events for internal executors. + return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) || + p.User().IsReserved() || + p.isInternalPlanner || + execType == executorTypeInternal } diff --git a/pkg/sql/exec_log.go b/pkg/sql/exec_log.go index 5894aeea953b..efde5f8adba1 100644 --- a/pkg/sql/exec_log.go +++ b/pkg/sql/exec_log.go @@ -131,7 +131,7 @@ func (p *planner) maybeLogStatement( queryStats *topLevelQueryStats, statsCollector sqlstats.StatsCollector, ) { - p.maybeAuditRoleBasedAuditEvent(ctx) + p.maybeAuditRoleBasedAuditEvent(ctx, execType) p.maybeLogStatementInternal(ctx, execType, isCopy, numRetries, txnCounter, rows, bulkJobId, err, queryReceived, hasAdminRoleCache, telemetryLoggingMetrics, stmtFingerprintID, queryStats, statsCollector,