Summary of the use skills of the MySQL database Audit plug-in

InMySQL databaseIn version 5.5), added a new plug-in: Audit plugin, used to Audit database connections and database operations. Next we will introduce in detailAudit plugin.

The related code is as follows:

 
 

  
  
sql/sql_audit.cc 
 
 

This file defines the interface functions of the audit plug-in.

 
 

  
  
sql/sql_audit.h 
 
 

Declare the function and define the function mysql_audit_general_log. This function is called When audit is triggered.

 
 

  
  
plugin/audit_null/audit_null.c 
 
 

This is a template program that provides an interface that is defined by the most basic audit plug-in.

To implement a complete audit program, you need to include the plug-in initialization, main functions, and call functions after the plug-in is uninstalled. Here we use audit_null.c as an example:

 
 

  
  
static int audit_null_plugin_init(void *arg __attribute__((unused))) 
 
 

This function is called when the plug-in is installed. It is mainly used for initialization, such as initializing global variables.

 
 

  
  
static void audit_null_notify(MYSQL_THD thd, unsigned int event_class, constvoid *event) 
 
 

This is the main function of the audit plug-in. When an event is triggered, this function will be called. The parameters include:

Thd:The thread that triggers this function contains a wealth of information in the THD struct, which can be used to implement many interesting functions.

Event_class/event:The former indicates the event type, which is used to determine the type of the event struct of the third parameter. It is defined by a macro and its value is MYSQL_AUDIT_GENERAL_CLASS, which indicates that the action of the database is triggered, when the value is MYSQL_AUDIT_CONNECTION_CLASS, it indicates that the database connection is triggered. For different types, different interface functions are called to trigger audit.

 
 

  
  
staticaudit_handler_t audit_handlers[] =  
  
  
 
  
  
{  
  
  
 
  
  
general_class_handler,connection_class_handler  
  
  
 
  
  
}; 
 
 

In the preceding two cases, multiple event types are further subdivided and defined in the plugin_audit.h file.

1. When a connection is initiated

 
 

  
  
#defineMYSQL_AUDIT_CONNECTION_CONNECT 0 
 
 

Triggered after authentication is completed

 
 

  
  
#define MYSQL_AUDIT_CONNECTION_DISCONNECT 1 
 
 

Triggered when the connection is interrupted

 
 

  
  
#define MYSQL_AUDIT_CONNECTION_CHANGE_USER 2 
 
 

Triggered after the command COM_CHANGE_USER is executed.

The structure of the event parameter is mysql_event_connection.

2. When operating the database

 
 

  
  
#defineMYSQL_AUDIT_GENERAL_LOG 0   
 
 

Triggered before being submitted to the general query log.

 
 

  
  
#define MYSQL_AUDIT_GENERAL_ERROR 1 
 
 

Triggered before an error is sent to the user

 
 

  
  
#define MYSQL_AUDIT_GENERAL_RESULT 2 
 
 

Triggered when the result set is sent to the user

 
 

  
  
#defineMYSQL_AUDIT_GENERAL_STATUS 3 
 
 

Triggered when a result set is sent or an error occurs. The struct of the event parameter is mysql_event_general.

No matter which event struct is, the above seven event types are recorded in it. We can write the plug-in code according to different event types.

3. static int audit_null_plugin_deinit (void * arg _ attribute _ (unused )))

This function is called when the plug-in is uninstalled and can be used to release resources or close files.

4. Define the descriptor struct of the plug-in:

 
 

  
  
struct st_mysql_audit    
  
  
 
  
  
{    
  
  
 
  
  
int interface_version;    
  
  
 
  
  
void (*release_thd)(MYSQL_THD);    
  
  
 
  
  
void (*event_notify)(MYSQL_THD, unsigned int, const void *);    
  
  
 
  
  
unsigned long class_mask[MYSQL_AUDIT_CLASS_MASK_SIZE];    
  
  
 
  
  
};   
 
 

Version. The value is MYSQL_AUDIT_INTERFACE_VERSION.

Release_thd, usually set to NULL.

Event_policy, the main processing function. It is called when some events occur (audit_null_policy ).

Class_mask, mask.

Release_thd and event_notify can be used together. When an event triggers event_notify, the plug-in cannot be uninstalled. After the call is completed, the server notifies the release_thd function. In this way, we can allocate resources in event_notify and uniformly release the resources in release_thd.

5. Define the statues variable to specify the value displayed when SHOWSTATIS is called.

 
 

  
  
static struct st_mysql_show_var audit_null_status[] 
 
 

6. Library descriptor of the plug-in

 
 

  
  
mysql_declare_plugin(audit_null)            
  
  
 
  
  
{                                               
  
  
 
  
  
MYSQL_AUDIT_PLUGIN,         /* type                            */    
  
  
 
  
  
&audit_null_descriptor,     /* descriptor                            */    
  
  
 
  
  
"NULL_AUDIT",               /* name                            */    
  
  
 
  
  
"Oracle Corp",              /* author                             */    
  
  
 
  
  
"Simple NULL Audit",        /* description                          */    
  
  
 
  
  
PLUGIN_LICENSE_GPL,    
  
  
 
  
  
audit_null_plugin_init,     /* init function (when loaded)               */    
  
  
 
  
  
audit_null_plugin_deinit,   /* deinit function (when unloaded)             */   
 
 

The third field "NULL_AUDIT" is the plug-in name when INSTALLPLUGIN is executed. If the plug-in name is inconsistent, the error that cannot be found in the library file is not reported.

Summary:

The Audit plug-in can be triggered by a variety of events. Therefore, when the server is busy, you need to carefully write the code to prevent excessive overhead and affect the overall performance of the server.