mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-15 08:20:16 +08:00
Further fixes for the buildfarm for pg_audit
Also, use a function to load the extension ahead of all other calls, simulating load from shared_libraries_preload, to make sure the hooks are in place before logging start.
This commit is contained in:
parent
c703b1e689
commit
8a2e1edd2b
@ -6,7 +6,7 @@ OBJS = pg_audit.o
|
|||||||
|
|
||||||
EXTENSION = pg_audit
|
EXTENSION = pg_audit
|
||||||
REGRESS = pg_audit
|
REGRESS = pg_audit
|
||||||
REGRESS_OPTS = --temp-config=$(top_srcdir)/contrib/pg_audit/pg_audit.conf
|
REGRESS_OPTS =
|
||||||
DATA = pg_audit--1.0.0.sql
|
DATA = pg_audit--1.0.0.sql
|
||||||
|
|
||||||
ifdef USE_PGXS
|
ifdef USE_PGXS
|
||||||
|
@ -17,7 +17,27 @@ create extension pg_audit;
|
|||||||
CREATE USER super SUPERUSER;
|
CREATE USER super SUPERUSER;
|
||||||
ALTER ROLE super SET pg_audit.log = 'Role';
|
ALTER ROLE super SET pg_audit.log = 'Role';
|
||||||
ALTER ROLE super SET pg_audit.log_level = 'notice';
|
ALTER ROLE super SET pg_audit.log_level = 'notice';
|
||||||
|
CREATE FUNCTION load_pg_audit( )
|
||||||
|
RETURNS VOID
|
||||||
|
LANGUAGE plpgsql
|
||||||
|
SECURITY DEFINER
|
||||||
|
AS $function$
|
||||||
|
declare
|
||||||
|
begin
|
||||||
|
LOAD 'pg_audit';
|
||||||
|
end;
|
||||||
|
$function$;
|
||||||
|
-- After each connect, we need to load pg_audit, as if it was
|
||||||
|
-- being loaded from shared_preload_libraries. Otherwise, the hooks
|
||||||
|
-- won't be set up and called correctly, leading to lots of ugly
|
||||||
|
-- errors.
|
||||||
\connect - super;
|
\connect - super;
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create auditor role
|
-- Create auditor role
|
||||||
CREATE ROLE auditor;
|
CREATE ROLE auditor;
|
||||||
@ -33,6 +53,12 @@ NOTICE: AUDIT: SESSION,4,1,ROLE,ALTER ROLE,,,ALTER ROLE user1 SET pg_audit.log_
|
|||||||
--
|
--
|
||||||
-- Create, select, drop (select will not be audited)
|
-- Create, select, drop (select will not be audited)
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
CREATE TABLE public.test (id INT);
|
CREATE TABLE public.test (id INT);
|
||||||
NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged>
|
||||||
SELECT * FROM test;
|
SELECT * FROM test;
|
||||||
@ -45,6 +71,12 @@ NOTICE: AUDIT: SESSION,2,1,DDL,DROP TABLE,TABLE,public.test,DROP TABLE test;,<n
|
|||||||
--
|
--
|
||||||
-- Create second test user
|
-- Create second test user
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
CREATE USER user2;
|
CREATE USER user2;
|
||||||
NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged>
|
||||||
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
|
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
|
||||||
@ -58,6 +90,12 @@ NOTICE: AUDIT: SESSION,5,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.role
|
|||||||
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
|
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
|
||||||
NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged>
|
NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged>
|
||||||
\connect - user2
|
\connect - user2
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
CREATE TABLE test2 (id INT);
|
CREATE TABLE test2 (id INT);
|
||||||
GRANT SELECT ON TABLE public.test2 TO auditor;
|
GRANT SELECT ON TABLE public.test2 TO auditor;
|
||||||
--
|
--
|
||||||
@ -204,9 +242,21 @@ WARNING: AUDIT: OBJECT,6,1,WRITE,INSERT,TABLE,public.test2,<previously logged>,
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 2 so that only object logging will be done
|
-- Change permissions of user 2 so that only object logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
alter role user2 set pg_audit.log = 'NONE';
|
alter role user2 set pg_audit.log = 'NONE';
|
||||||
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged>
|
||||||
\connect - user2
|
\connect - user2
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create test4 and add permissions
|
-- Create test4 and add permissions
|
||||||
CREATE TABLE test4
|
CREATE TABLE test4
|
||||||
@ -279,9 +329,21 @@ DROP TABLE test4;
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that session logging will be done
|
-- Change permissions of user 1 so that session logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
alter role user1 set pg_audit.log = 'DDL, READ';
|
alter role user1 set pg_audit.log = 'DDL, READ';
|
||||||
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged>
|
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged>
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create table is session logged
|
-- Create table is session logged
|
||||||
CREATE TABLE public.account
|
CREATE TABLE public.account
|
||||||
@ -315,11 +377,23 @@ INSERT INTO account (id, name, password, description)
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that only object logging will be done
|
-- Change permissions of user 1 so that only object logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
alter role user1 set pg_audit.log = 'none';
|
alter role user1 set pg_audit.log = 'none';
|
||||||
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged>
|
||||||
alter role user1 set pg_audit.role = 'auditor';
|
alter role user1 set pg_audit.role = 'auditor';
|
||||||
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged>
|
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged>
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
--
|
--
|
||||||
-- ROLE class not set, so auditor grants not logged
|
-- ROLE class not set, so auditor grants not logged
|
||||||
GRANT SELECT (password),
|
GRANT SELECT (password),
|
||||||
@ -362,11 +436,23 @@ NOTICE: AUDIT: OBJECT,2,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that session relation logging will be done
|
-- Change permissions of user 1 so that session relation logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
alter role user1 set pg_audit.log_relation = on;
|
alter role user1 set pg_audit.log_relation = on;
|
||||||
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged>
|
||||||
alter role user1 set pg_audit.log = 'read, WRITE';
|
alter role user1 set pg_audit.log = 'read, WRITE';
|
||||||
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged>
|
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged>
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Not logged
|
-- Not logged
|
||||||
create table ACCOUNT_ROLE_MAP
|
create table ACCOUNT_ROLE_MAP
|
||||||
@ -461,6 +547,12 @@ NOTICE: AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
|
|||||||
--
|
--
|
||||||
-- Change back to superuser to do exhaustive tests
|
-- Change back to superuser to do exhaustive tests
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
load_pg_audit
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(1 row)
|
||||||
|
|
||||||
SET pg_audit.log = 'ALL';
|
SET pg_audit.log = 'ALL';
|
||||||
NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged>
|
NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged>
|
||||||
SET pg_audit.log_level = 'notice';
|
SET pg_audit.log_level = 'notice';
|
||||||
|
@ -19,7 +19,24 @@ create extension pg_audit;
|
|||||||
CREATE USER super SUPERUSER;
|
CREATE USER super SUPERUSER;
|
||||||
ALTER ROLE super SET pg_audit.log = 'Role';
|
ALTER ROLE super SET pg_audit.log = 'Role';
|
||||||
ALTER ROLE super SET pg_audit.log_level = 'notice';
|
ALTER ROLE super SET pg_audit.log_level = 'notice';
|
||||||
|
|
||||||
|
CREATE FUNCTION load_pg_audit( )
|
||||||
|
RETURNS VOID
|
||||||
|
LANGUAGE plpgsql
|
||||||
|
SECURITY DEFINER
|
||||||
|
AS $function$
|
||||||
|
declare
|
||||||
|
begin
|
||||||
|
LOAD 'pg_audit';
|
||||||
|
end;
|
||||||
|
$function$;
|
||||||
|
|
||||||
|
-- After each connect, we need to load pg_audit, as if it was
|
||||||
|
-- being loaded from shared_preload_libraries. Otherwise, the hooks
|
||||||
|
-- won't be set up and called correctly, leading to lots of ugly
|
||||||
|
-- errors.
|
||||||
\connect - super;
|
\connect - super;
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create auditor role
|
-- Create auditor role
|
||||||
@ -34,6 +51,7 @@ ALTER ROLE user1 SET pg_audit.log_level = 'notice';
|
|||||||
--
|
--
|
||||||
-- Create, select, drop (select will not be audited)
|
-- Create, select, drop (select will not be audited)
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
CREATE TABLE public.test (id INT);
|
CREATE TABLE public.test (id INT);
|
||||||
SELECT * FROM test;
|
SELECT * FROM test;
|
||||||
DROP TABLE test;
|
DROP TABLE test;
|
||||||
@ -41,6 +59,7 @@ DROP TABLE test;
|
|||||||
--
|
--
|
||||||
-- Create second test user
|
-- Create second test user
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
CREATE USER user2;
|
CREATE USER user2;
|
||||||
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
|
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
|
||||||
@ -50,6 +69,7 @@ ALTER ROLE user2 SET pg_audit.role = auditor;
|
|||||||
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
|
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
|
||||||
|
|
||||||
\connect - user2
|
\connect - user2
|
||||||
|
select load_pg_audit();
|
||||||
CREATE TABLE test2 (id INT);
|
CREATE TABLE test2 (id INT);
|
||||||
GRANT SELECT ON TABLE public.test2 TO auditor;
|
GRANT SELECT ON TABLE public.test2 TO auditor;
|
||||||
|
|
||||||
@ -149,9 +169,11 @@ UPDATE test3
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 2 so that only object logging will be done
|
-- Change permissions of user 2 so that only object logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
alter role user2 set pg_audit.log = 'NONE';
|
alter role user2 set pg_audit.log = 'NONE';
|
||||||
|
|
||||||
\connect - user2
|
\connect - user2
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create test4 and add permissions
|
-- Create test4 and add permissions
|
||||||
@ -222,8 +244,10 @@ DROP TABLE test4;
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that session logging will be done
|
-- Change permissions of user 1 so that session logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
alter role user1 set pg_audit.log = 'DDL, READ';
|
alter role user1 set pg_audit.log = 'DDL, READ';
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Create table is session logged
|
-- Create table is session logged
|
||||||
@ -248,9 +272,11 @@ INSERT INTO account (id, name, password, description)
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that only object logging will be done
|
-- Change permissions of user 1 so that only object logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
alter role user1 set pg_audit.log = 'none';
|
alter role user1 set pg_audit.log = 'none';
|
||||||
alter role user1 set pg_audit.role = 'auditor';
|
alter role user1 set pg_audit.role = 'auditor';
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
--
|
--
|
||||||
-- ROLE class not set, so auditor grants not logged
|
-- ROLE class not set, so auditor grants not logged
|
||||||
@ -285,9 +311,11 @@ UPDATE account
|
|||||||
--
|
--
|
||||||
-- Change permissions of user 1 so that session relation logging will be done
|
-- Change permissions of user 1 so that session relation logging will be done
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
alter role user1 set pg_audit.log_relation = on;
|
alter role user1 set pg_audit.log_relation = on;
|
||||||
alter role user1 set pg_audit.log = 'read, WRITE';
|
alter role user1 set pg_audit.log = 'read, WRITE';
|
||||||
\connect - user1
|
\connect - user1
|
||||||
|
select load_pg_audit();
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Not logged
|
-- Not logged
|
||||||
@ -345,6 +373,7 @@ UPDATE account
|
|||||||
--
|
--
|
||||||
-- Change back to superuser to do exhaustive tests
|
-- Change back to superuser to do exhaustive tests
|
||||||
\connect - super
|
\connect - super
|
||||||
|
select load_pg_audit();
|
||||||
SET pg_audit.log = 'ALL';
|
SET pg_audit.log = 'ALL';
|
||||||
SET pg_audit.log_level = 'notice';
|
SET pg_audit.log_level = 'notice';
|
||||||
SET pg_audit.log_relation = ON;
|
SET pg_audit.log_relation = ON;
|
||||||
|
Loading…
Reference in New Issue
Block a user