/Users/deen/code/yugabyte-db/src/yb/yql/cql/ql/audit/audit_logger.h
Line | Count | Source |
1 | | //-------------------------------------------------------------------------------------------------- |
2 | | // Copyright (c) YugaByte, Inc. |
3 | | // |
4 | | // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except |
5 | | // in compliance with the License. You may obtain a copy of the License at |
6 | | // |
7 | | // http://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software distributed under the License |
10 | | // is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express |
11 | | // or implied. See the License for the specific language governing permissions and limitations |
12 | | // under the License. |
13 | | // |
14 | | // |
15 | | // Responsible for logging audit records in YCQL. |
16 | | // Audit is controlled through gflags. If the audit is not enabled, logging methods return |
17 | | // immediately without imposing overhead. |
18 | | // This class should be used for a single request at a time, as a part of (C)QLProcessor internals, |
19 | | // and thus isn't thread-safe. |
20 | | //-------------------------------------------------------------------------------------------------- |
21 | | |
22 | | #ifndef YB_YQL_CQL_QL_AUDIT_AUDIT_LOGGER_H_ |
23 | | #define YB_YQL_CQL_QL_AUDIT_AUDIT_LOGGER_H_ |
24 | | |
25 | | #include <boost/uuid/uuid_generators.hpp> |
26 | | |
27 | | #include "yb/yql/cql/ql/ql_fwd.h" |
28 | | #include "yb/yql/cql/ql/exec/exec_context.h" |
29 | | #include "yb/yql/cql/ql/util/cql_message.h" |
30 | | |
31 | | namespace yb { |
32 | | namespace ql { |
33 | | namespace audit { |
34 | | |
35 | | // Whether the statement being logged is being PREPARE'd rather than executed. |
36 | | YB_STRONGLY_TYPED_BOOL(IsPrepare) |
37 | | YB_STRONGLY_TYPED_BOOL(ErrorIsFormatted) |
38 | | |
39 | | class Type; |
40 | | struct LogEntry; |
41 | | |
42 | | class AuditLogger { |
43 | | public: |
44 | | explicit AuditLogger(const QLEnv& ql_env); |
45 | | |
46 | | // Sets a connection for the current (new) user operation. |
47 | | // Not called for internal requests, resulting in them not being audited. |
48 | 18.0M | void SetConnection(const std::shared_ptr<const rpc::Connection>& conn) { |
49 | 18.0M | conn_ = conn; |
50 | 18.0M | } |
51 | | |
52 | | // Enters the batch request mode, should be called when driver-level batch is received. |
53 | | // This generates a UUID to identify the current batch in audit. |
54 | | // |
55 | | // Note that this is only used for batch requests, not for explicit START TRANSACTION commands |
56 | | // because in that case separate commands might arrive to different tservers. |
57 | | // |
58 | | // If this returns non-OK status, batch mode isn't activated. |
59 | | CHECKED_STATUS StartBatchRequest(size_t statements_count, |
60 | | IsRescheduled is_rescheduled); |
61 | | |
62 | | // Exits the batch request mode. Does nothing outside of a batch request. |
63 | | CHECKED_STATUS EndBatchRequest(); |
64 | | |
65 | | // Log the response to a user's authentication request. |
66 | | CHECKED_STATUS LogAuthResponse(const CQLResponse& response); |
67 | | |
68 | | // Log the statement execution start. |
69 | | // tnode might be nullptr, in which case this does nothing. |
70 | | CHECKED_STATUS LogStatement(const TreeNode* tnode, |
71 | | const std::string& statement, |
72 | | IsPrepare is_prepare); |
73 | | |
74 | | // Log the statement analysis/execution failure. |
75 | | // tnode might be nullptr, in which case this does nothing. |
76 | | CHECKED_STATUS LogStatementError(const TreeNode* tnode, |
77 | | const std::string& statement, |
78 | | const Status& error_status, |
79 | | ErrorIsFormatted error_is_formatted); |
80 | | |
81 | | // Log a general statement processing failure. |
82 | | // We should only use this directly when the parse tree is not present. |
83 | | CHECKED_STATUS LogStatementError(const std::string& statement, |
84 | | const Status& error_status, |
85 | | ErrorIsFormatted error_is_formatted); |
86 | | |
87 | | private: |
88 | | using GflagName = std::string; |
89 | | using GflagStringValue = std::string; |
90 | | using GflagListValue = std::unordered_set<std::string>; |
91 | | using GflagsCache = std::unordered_map<GflagName, std::pair<GflagStringValue, GflagListValue>>; |
92 | | |
93 | | const QLEnv& ql_env_; |
94 | | |
95 | | // Currently audited connection, if any. |
96 | | std::shared_ptr<const rpc::Connection> conn_; |
97 | | |
98 | | // Empty string means not in a batch processing mode. |
99 | | std::string batch_id_; |
100 | | |
101 | | boost::uuids::random_generator batch_id_gen_; |
102 | | |
103 | | // Cache of parsed gflags, to avoid re-parsing unchanged values. |
104 | | GflagsCache gflags_cache_; |
105 | | |
106 | | // Checks whether a given predicate holds on the comma-separated list gflag. |
107 | | // This uses gflag library helper to access a gflag by name, to avoid concurrently accessing |
108 | | // string gflags that may change at runtime. |
109 | | template<class Pred> |
110 | | bool SatisfiesGFlag(const LogEntry& e, |
111 | | const std::string& gflag_name, |
112 | | const Pred& predicate); |
113 | | |
114 | | // Determine whether this entry should be logged given current audit configuration. |
115 | | // Note that we reevaluate gflags to allow changing them dynamically. |
116 | | bool ShouldBeLogged(const LogEntry& e); |
117 | | |
118 | | Result<LogEntry> CreateLogEntry(const Type& type, |
119 | | std::string keyspace, |
120 | | std::string scope, |
121 | | std::string operation, |
122 | | std::string error_message); |
123 | | }; |
124 | | |
125 | | } // namespace audit |
126 | | } // namespace ql |
127 | | } // namespace yb |
128 | | |
129 | | |
130 | | #endif // YB_YQL_CQL_QL_AUDIT_AUDIT_LOGGER_H_ |