GBase 8a 的审计管理

最新推荐文章于 2024-07-11 21:41:59 发布

Linux有意思吗

最新推荐文章于 2024-07-11 21:41:59 发布

阅读量693

点赞数

分类专栏： GBASE 文章标签：数据库 database 南大通用 GBase 8a 数据仓库

本文链接：https://blog.csdn.net/weixin_34421618/article/details/123704861

版权

GBASE 专栏收录该内容

135 篇文章 6 订阅

订阅专栏

审计日志概述

审计日志用于记录用户的数据库操作，审计其行为，主要用于安全管理。审计日志将执行时间超过 long_query_time 值的 SQL 记录下来，方便用户针对这些执行效率低下的 SQL 语句进行分析、优化和改写，从而提高 SQL 语句的执行效率。

审计日志参数配置

操作场景
指导管理员开启或关闭审计日志。
操作方法
执行如下命令，开启审计日志。可以通过配置文件或 session 级控制。

SET GLOBAL audit_log = 1;

执行如下命令，设定审计日志存放在系统表中。

SET GLOBAL log_output = 'table';

执行如下命令，关闭审计日志。默认为关闭。

SET GLOBAL audit_log = 0;

设置审计策略

操作场景
审计策略用来控制审计日志记录的策略，可以设置审计日志只记录某些指定的操作或者某些固定用户的操作。本节将指导管理员创建、修改、删除审计策略。

操作方法

创建审计策略
创建审计策略的语法规则如下所示：

CREATE AUDIT POLICY <audit_policy_name> [(<audit_policy_item> =
<value>[,<audit_policy_item> = <value>])];

参数说明：

参数名称	描述
audit_policy_name	为审计策略的名称，不区分大小写，存储时小写保存，可包括大小写字符、数字和下划线，不包含特殊符号，审计名称的首字符必须是英文字符。
audit_policy_item	为审计策略项目，审计策略项目名称不区分大小写。

审计策略项目说明

项目名称	取值&含义
Enable	Y：启用，默认值
N：禁用
Hosts	“”：不限制，默认值
<host>：严格匹配 host，支持空格“ ”分隔的 host 列表， host 可使用“%” 和“_”做通配符
User	“”：不限制，默认值
<user>：严格匹配 user，区分大小写
Db	“”：不限制，默认值
<db>：严格匹配 db
Obj_type	“”：不限制，默认值
TABLE(VIEW)： Object 为表（视图）
PROCEDURE： Object 为存储过程
FUNCTION： Object 为函数
Object	“”：不限制，默认值
<object>：匹配 Obj_type 指定的 object
Sql_comman ds	“”：不限制，默认值
INSERT, DELETE, UPDATE, LOAD, CREATE_USER, CREATE_D B, CREATE_TABLE, CREATE_VIEW, CREATE_INDEX, CREATE_ PROCEDURE, CREATE_FUNCTION, RENAME_USER, ALTER_D B, ALTER_TABLE, ALTER_PROCEDURE, ALTER_FUNCTION, A LTER_EVENT, DROP_USER, DROP_DB, DROP_TABLE, DROP_V IEW, DROP_INDEX, DROP_PROCEDURE, DROP_FUNCTION, DR OP_EVENT, TRUNCATE, GRANT, REVOKE, SELECT， OTHERS：其中的一种或多种类型，多个类型间以逗号‘,’连接，且不添加空格
Long_query_ time	<secs>：最小查询秒数，可带 6 位小数，精确到微秒，默认值 0，取值范围为 0~31536000s
Status	“”：不限制，默认不限制。

SUCCESS：执行成功

FAILED：执行失败

修改审计策略

修改审计策略的语法规则如下所示：

ALTER AUDIT POLICY <audit_policy_name> SET [(]<audit_policy_item> =
<value>[,<audit_policy_item> = <value>][)];

参数名称	描述
audit_policy_name	为审计策略的名称，不区分大小写
audit_policy_item	为审计策略项目，取值内容与创建审计策略中描述相同。

删除审计策略

删除审计策略语法规则如下：

DROP AUDIT POLICY <audit_policy_name>;

存储审计日志

审计日志的信息存储在系统表 gbase.audit_log 或日志 gclusterd-audit.log 中，依赖于全局级变量 log_output 的配置； gbased-audit.log 日志若不配置默认存储在$GCLUSTER_BASE/log/gcluster/目录下。
使用约束
GBase 8a MPP Cluster 审计日志使用的约束条件：

审计日志用于记录所有的 SQL 操作。对于包含结果集行数的统计操作，只例如 SELECT、 DELETE、 INSERT、 UPDATE、 MERGE 和 ALTER；
清空 audit_log 时，需要使用 TRUNCATE SELF audit_log 语句。
查看 gclusterdb 下的 audit_log_express 可看到所有节点上发生的日志。

审计日志高可用

GBase 8a MPP Cluster 具有审计日志高可用机制，为实现审计日志的高可用机制，集群安装或升级时自动在 gclusterdb 库下创建 EXPRESS 引擎随机分布表audit_log_express，并自动创建定时导出事件，将 gbase 库中的 audit_log 表内容定时导出到 gclusterdb 库中的 audit_log_express 表。

在多 VC 版本下，内置自动导出 event 功能失效，需要用户手动删除后重新创建 event。

CREATE EVENT "import_audit_log"
ON SCHEDULE EVERY 60 MINUTE
STARTS '2017-12-01 00:00:00'
ON COMPLETION NOT PRESERVE
ENABLE
LOCAL
DO
begin
declare errno int;
declare msg text;
declare exit handler for sqlexception
begin
get diagnostics condition 1 errno = gbase_errno, msg = message_text;
create table if not exists import_audit_log_errors(
err_time datetime,
hostname varchar(64),
err_no int,
msg_txt varchar(1024)
) CHARSET=utf8mb4;
insert into import_audit_log_errors values (now(), @@hostname,
errno, substr(msg, 0, 1024));
end;
create table if not exists audit_log_express (
hostname varchar(64),
thread_id int,
taskid bigint,
start_time datetime,
uid bigint, user varchar(16),
host_ip varchar(32),
query_time time, rows bigint,
table_list varchar(4096),
sql_text varchar(8191),
sql_type varchar(16),
sql_command varchar(32),
operators varchar(256),
status varchar(16),
conn_type varchar(16)
) CHARSET=utf8mb4;
set self sql_mode = '';
create self table gbase.audit_log_bak2 like gbase.audit_log;
set self sql_mode = default;
rename self table gbase.audit_log to gbase.audit_log_bak1,
gbase.audit_log_bak2 to gbase.audit_log;
set _gbase_query_path = on;
insert into audit_log_express select
@@hostname as hostname,
thread_id,
taskid,
start_time,
uid,
user,
host_ip,
query_time,
rows,
substr(table_list, 0, 4096),
substr(sql_text, 0, 8191),
sql_type,
sql_command,
operators,
status,
conn_type
from gbase.audit_log_bak1;
drop self table gbase.audit_log_bak1;
end

使用示例

使用系统表查看审计日志。

$ gccli -uroot -p
Enter password:
GBase client 9.5.3.17.117651. Copyright (c) 2004-2020, GBase. All Rights
Reserved.
gbase> SET long_query_time = 0;
Query OK, 0 rows affected
gbase> SET GLOBAL audit_log = 1;
Query OK, 0 rows affected
gbase>CREATE AUDIT POLICY audit_policy_1 ( Enable = 'Y' );
Query OK, 0 rows affected
gbase> DROP USER tzt;
Query OK, 0 rows affected
gbase> SET GLOBAL log_output = 'table';
Query OK, 0 rows affected
gbase> DROP DATABASE test;
Query OK, 1 row affected
gbase> CREATE USER tzt identified by 'tzt';
Query OK, 0 rows affected
gbase> GRANT ALL ON *.* TO tzt@'%';
Query OK, 0 rows affected
gbase> CREATE DATABASE test;
Query OK, 1 row affected
gbase> USE test;
Query OK, 0 rows affected
gbase> CREATE TABLE t1(i int);
Query OK, 0 rows affected
gbase> INSERT INTO t1 VALUES (1),(2);
Query OK, 2 rows affected
gbase> SELECT start_time,user_host,query_time,rows,
-> LEFT(sql_text, 30), conn_type FROM gbase.audit_log;
+---------------------+----------------------------------+--------
---------+------+
| start_time | user_host | query_time | rows
| LEFT(sql_text, 30) | conn_type |
+---------------------+----------------------------------+-----------------+----
--+
| 2019-09-02 08:47:27 | root[root] @ [192.168.105.61] | 00:00:00.001129 | 0
| Connect | CAPI |
| 2019-09-02 08:47:27 | root[root] @ [192.168.105.61] | 00:00:00.013673 | 0
| set gcluster_lock_timeout=0,g | CAPI |
| 2019-09-02 08:47:27 | root[root] @ [192.168.105.61] | 00:00:00.000559 | 0
| set self log_output='table' | CAPI |
| 2019-09-02 08:47:27 | root[root] @ [192.168.105.61] | 00:00:00.000363 | 0
| SET NAMES utf8mb4 | CAPI |
| 2019-09-02 08:47:27 | root[root] @ [192.168.105.61] | 00:00:00.000325 | 0
| SET SELF GLOBAL log_output = | CAPI |
| 2019-09-02 08:47:27 | root[root] @ localhost [] | 00:00:00.032217 | 0
| SET GLOBAL log_output = 'table | CAPI |
| 2019-09-02 08:48:05 | root[root] @ localhost [] | 00:00:00.000530 | 9
| SELECT start_time,user_host,qu | CAPI |
| 2019-09-02 08:48:50 | root[root] @ localhost [] | 00:00:00.000977 | 10
| SELECT start_time,user_host,qu | CAPI |
| 2019-09-02 08:49:06 | [gbase] @ localhost [] | 00:00:00.000509 | 0
| Connect | CAPI |
| 2019-09-02 08:49:15 | [gbase] @ localhost [] | 00:00:00.000461 | 0
| Connect | CAPI |
| 2019-09-02 08:49:22 | gbase[gbase] @ localhost [] | 00:00:00.000556 | 0
| Connect | CAPI |
| 2019-09-02 08:49:27 | gbase[gbase] @ localhost [] | 00:00:00.010542 | 0
| use hb | CAPI |
| 2019-09-02 08:49:52 | gbase[gbase] @ localhost [] | 00:00:00.007598 | 0
| drop function if exists func_g | CAPI |
| 2019-09-02 08:50:05 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000421 | 0
| Connect | CAPI |
| 2019-09-02 08:50:05 | gbase[gbase] @ [192.168.105.61] | 00:00:00.013944 | 0
| set gcluster_lock_timeout=0,g | CAPI |
| 2019-09-02 08:50:06 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000858 | 0
| SET character_set_results = ut | CAPI |
| 2019-09-02 08:50:06 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000098 | 0
| Init DB | CAPI |
| 2019-09-02 08:50:06 | gbase[gbase] @ [192.168.105.61] | 00:00:00.001789 | 0
| CREATE GCLUSTER_LOCAL DEFINER= | CAPI |
| 2019-09-02 08:50:06 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000369 | 0
| show /*+ sub_step */ warnings | CAPI |
| 2019-09-02 08:50:05 | gbase[gbase] @ localhost [] | 00:00:00.102018 | 0
| CREATE FUNCTION "func_getstand | CAPI |
| 2019-09-02 08:50:18 | gbase[gbase] @ localhost [] | 00:00:00.000012 | 0
| Quit | CAPI |
| 2019-09-02 08:50:18 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000005 | 0
| Quit | CAPI |
| 2019-09-02 08:50:25 | gbase[gbase] @ localhost [] | 00:00:00.000505 | 0
| Connect | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000275 | 0
| Connect | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.006585 | 0
| select table_id from informati | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000002 | 0
| Quit | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000209 | 0
| Connect | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.005802 | 0
| select table_id from informati | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000003 | 0
| Quit | CAPI |
| 2019-09-02 08:50:32 | gbase[gbase] @ [192.168.105.61] | 00:00:00.000130 | 0
| Connect | CAPI |
| 2019-09-02 08:50:33 | gbase[gbase] @ localhost [] | 00:00:00.010871 | 33
| select * from gbase.audit_log | CAPI |
| 2019-09-02 08:50:44 | root[root] @ [192.168.3.128] | 00:00:00.000658 | 0
| SELECT SCHEMA_NAME AS `Databas | STUDIO |
+---------------------+----------------------------------+-----------------+----
--+
gbase> INSERT INTO t1 SELECT * FROM t1;
Query OK, 2 rows affected
gbase> UPDATE t1 SET i = 3;
Query OK, 4 rows affected
gbase> DELETE FROM t1;
Query OK, 4 rows affected
gbase> SELECT start_time,user_host,query_time,rows, LEFT(sql_text,
30), conn_type FROM gbase.audit_log;
+---------------------+----------------------------------+
| start_time | user_host |
+---------------------+----------------------------------+
| 2013-10-09 17:21:08 | root[root] @ localhost [] |
| 2013-10-09 17:21:22 | root[root] @ [192.168.10.116] |
| 2013-10-09 17:21:22 | root[root] @ localhost [] |
| 2013-10-09 17:21:32 | gbase[gbase] @ [192.168.10.116] |
| 2013-10-09 17:21:32 | root[root] @ localhost [] |
| 2013-10-09 17:21:32 | root[root] @ localhost [] |
| 2013-10-09 17:21:45 | root[root] @ localhost [] |
| 2013-10-09 17:21:52 | root[root] @ localhost [] |
| 2013-10-09 17:21:58 | root[root] @ localhost [] |
| 2013-10-09 17:22:05 | root[root] @ localhost [] |
| 2013-10-09 17:22:10 | gbase[gbase] @ [192.168.10.116] |
| 2013-10-09 17:22:10 | root[root] @ localhost [] |
| 2013-10-09 17:22:17 | root[root] @ localhost [] |
| 2013-10-09 17:22:25 | root[root] @ localhost [] |
| 2013-10-09 17:23:13 | root[root] @ localhost [] |
| 2013-10-09 17:23:20 | root[root] @ localhost [] |
| 2013-10-09 17:23:27 | root[root] @ localhost [] |
+---------------------+----------------------------------+
+-----------------+------+-------------------------------+----------+
| query_time | rows | LEFT(sql_text, 30) | conn_type|
+-----------------+------+-------------------------------+----------+
| 00:00:00.006397 | 0 | SET GLOBAL log_output = 'table| CAPI |
| 00:00:00.000282 | 0 | Connect | CAPI |
| 00:00:00.025018 | 0 | DROP USER tzt | CAPI |
| 00:00:00.000054 | 0 | Connect | CAPI |
| 00:00:00.000175 | 0 | DROP DATABASE test | CAPI |
| 00:00:00.111946 | 1 | SELECT DATABASE() | CAPI |
| 00:00:00.000086 | 0 | CREATE USER tzt identified by | CAPI |
| 00:00:00.439480 | 0 | GRANT ALL ON *.* TO tzt@'%' | CAPI |
| 00:00:00.000387 | 0 | CREATE DATABASE test | CAPI |
| 00:00:00.000025 | 0 | USE test | CAPI |
| 00:00:00.000384 | 0 | Connect | CAPI |
| 00:00:00.000144 | 0 | CREATE TABLE t1(i int) | CAPI |
| 00:00:00.004527 | 2 | INSERT INTO t1 VALUES (1),(2) | CAPI |
| 00:00:00.000035 | 13 | SELECT start_time,user_host,qu| CAPI |
| 00:00:00.000191 | 2 | INSERT INTO t1 SELECT * FROM t| CAPI |
| 00:00:00.000060 | 4 | UPDATE t1 SET i = 3 | CAPI |
| 00:00:00.094043 | 4 | DELETE FROM t1 | CAPI |
+-----------------+------+-------------------------------+----------+
17 rows in set