mirrors/scylladb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
copilot/fix-host-variable-error
scylladb/cql3/statements/authorization_statement.cc
Paweł Zakrzewski 98f5e49ea8 audit: Add support to CQL statements 
Integrates audit functionality into CQL statement processing to enable tracking of database operations. Key changes:

- Add audit_info and statement_category to all CQL statements
- Implement audit categories for different statement types:
  - DDL: Schema altering statements (CREATE/ALTER/DROP)
  - DML: Data manipulation (INSERT/UPDATE/DELETE/TRUNCATE/USE)
  - DCL: Access control (GRANT/REVOKE/CREATE ROLE)
  - QUERY: SELECT statements
  - ADMIN: Service level operations

- Add audit inspection points in query processing:
  - Before statement execution
  - After access checks
  - After statement completion
  - On execution failures

- Add password sanitization for role management statements
  - Mask plaintext passwords in audit logs
  - Handle both direct password parameters and options maps
  - Preserve query structure while hiding sensitive data

- Modify prepared statement lifecycle to carry audit context
  - Pass audit info during statement preparation
  - Track audit info through statement execution
  - Support batch statement auditing

This change enables comprehensive auditing of CQL operations while ensuring sensitive data is properly masked in audit logs.
2025-01-15 11:10:36 +01:00

84 lines
3.2 KiB
C++
Raw Permalink Blame History

/*
* Copyright 2016-present ScyllaDB
*
* Modified by ScyllaDB
*/
/*
* SPDX-License-Identifier: (LicenseRef-ScyllaDB-Source-Available-1.0 and Apache-2.0)
*/
#include "authorization_statement.hh"
#include "service/client_state.hh"
#include "auth/resource.hh"
#include "cql3/query_processor.hh"
#include "exceptions/exceptions.hh"
#include "db/cql_type_parser.hh"
#include "auth/common.hh"
uint32_t cql3::statements::authorization_statement::get_bound_terms() const {
return 0;
}
bool cql3::statements::authorization_statement::depends_on(std::string_view ks_name, std::optional<std::string_view> cf_name) const {
return false;
}
future<> cql3::statements::authorization_statement::check_access(query_processor& qp, const service::client_state& state) const {
return make_ready_future<>();
}
void cql3::statements::authorization_statement::maybe_correct_resource(auth::resource& resource, const service::client_state& state, query_processor& qp) {
if (resource.kind() == auth::resource_kind::data) {
const auto data_view = auth::data_resource_view(resource);
const auto keyspace = data_view.keyspace();
const auto table = data_view.table();
if (table && keyspace->empty()) {
resource = auth::make_data_resource(state.get_keyspace(), *table);
}
} else if (resource.kind() == auth::resource_kind::functions) {
// Maybe correct the resource for a specific function.
const auto functions_view = auth::functions_resource_view(resource);
const auto keyspace = functions_view.keyspace();
if (!keyspace) {
// This is an "ALL FUNCTIONS" resource.
return;
}
if (!qp.db().has_keyspace(*keyspace)) {
throw exceptions::invalid_request_exception(format("{} doesn't exist.", resource));
}
if (functions_view.function_signature()) {
// The resource is already corrected.
return;
}
if (!functions_view.function_name()) {
// This is an "ALL FUNCTIONS IN KEYSPACE" resource.
return;
}
auto ks = qp.db().find_keyspace(*keyspace);
const auto& utm = ks.user_types();
auto function_name = *functions_view.function_name();
auto function_args = functions_view.function_args();
std::vector<data_type> parsed_types;
if (function_args) {
parsed_types =
*function_args | std::views::transform([&] (std::string_view raw_type) {
auto parsed = db::cql_type_parser::parse(sstring(keyspace->data(), keyspace->size()), sstring(raw_type.data(), raw_type.size()), utm);
return parsed->is_user_type() ? parsed->freeze() : parsed;
}) | std::ranges::to<std::vector>();
}
resource = auth::make_functions_resource(*keyspace, auth::encode_signature(function_name, parsed_types));
}
}
bool cql3::statements::authorization_altering_statement::needs_guard(
query_processor& qp, service::query_state&) const {
return !auth::legacy_mode(qp);
};
audit::statement_category cql3::statements::authorization_statement::category() const {
return audit::statement_category::DCL;
}
Reference in New Issue View Git Blame Copy Permalink