From 8a2e1edd2ba0817313c1c0ef76b03a5ab819d17f Mon Sep 17 00:00:00 2001 From: Stephen Frost <sfrost@snowman.net> Date: Thu, 14 May 2015 11:55:36 -0400 Subject: [PATCH] Further fixes for the buildfarm for pg_audit Also, use a function to load the extension ahead of all other calls, simulating load from shared_libraries_preload, to make sure the hooks are in place before logging start. --- contrib/pg_audit/Makefile | 2 +- contrib/pg_audit/expected/pg_audit.out | 92 ++++++++++++++++++++++++++ contrib/pg_audit/sql/pg_audit.sql | 29 ++++++++ 3 files changed, 122 insertions(+), 1 deletion(-) diff --git a/contrib/pg_audit/Makefile b/contrib/pg_audit/Makefile index 7b360110a8f..bd6897e5343 100644 --- a/contrib/pg_audit/Makefile +++ b/contrib/pg_audit/Makefile @@ -6,7 +6,7 @@ OBJS = pg_audit.o EXTENSION = pg_audit REGRESS = pg_audit -REGRESS_OPTS = --temp-config=$(top_srcdir)/contrib/pg_audit/pg_audit.conf +REGRESS_OPTS = DATA = pg_audit--1.0.0.sql ifdef USE_PGXS diff --git a/contrib/pg_audit/expected/pg_audit.out b/contrib/pg_audit/expected/pg_audit.out index c237baa599f..7cfa47ea3dc 100644 --- a/contrib/pg_audit/expected/pg_audit.out +++ b/contrib/pg_audit/expected/pg_audit.out @@ -17,7 +17,27 @@ create extension pg_audit; CREATE USER super SUPERUSER; ALTER ROLE super SET pg_audit.log = 'Role'; ALTER ROLE super SET pg_audit.log_level = 'notice'; +CREATE FUNCTION load_pg_audit( ) + RETURNS VOID + LANGUAGE plpgsql +SECURITY DEFINER +AS $function$ +declare +begin +LOAD 'pg_audit'; +end; +$function$; +-- After each connect, we need to load pg_audit, as if it was +-- being loaded from shared_preload_libraries. Otherwise, the hooks +-- won't be set up and called correctly, leading to lots of ugly +-- errors. \connect - super; +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + -- -- Create auditor role CREATE ROLE auditor; @@ -33,6 +53,12 @@ NOTICE: AUDIT: SESSION,4,1,ROLE,ALTER ROLE,,,ALTER ROLE user1 SET pg_audit.log_ -- -- Create, select, drop (select will not be audited) \connect - user1 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + CREATE TABLE public.test (id INT); NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged> SELECT * FROM test; @@ -45,6 +71,12 @@ NOTICE: AUDIT: SESSION,2,1,DDL,DROP TABLE,TABLE,public.test,DROP TABLE test;,<n -- -- Create second test user \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + CREATE USER user2; NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged> ALTER ROLE user2 SET pg_audit.log = 'Read, writE'; @@ -58,6 +90,12 @@ NOTICE: AUDIT: SESSION,5,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.role ALTER ROLE user2 SET pg_audit.log_statement_once = ON; NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged> \connect - user2 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + CREATE TABLE test2 (id INT); GRANT SELECT ON TABLE public.test2 TO auditor; -- @@ -204,9 +242,21 @@ WARNING: AUDIT: OBJECT,6,1,WRITE,INSERT,TABLE,public.test2,<previously logged>, -- -- Change permissions of user 2 so that only object logging will be done \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + alter role user2 set pg_audit.log = 'NONE'; NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged> \connect - user2 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + -- -- Create test4 and add permissions CREATE TABLE test4 @@ -279,9 +329,21 @@ DROP TABLE test4; -- -- Change permissions of user 1 so that session logging will be done \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + alter role user1 set pg_audit.log = 'DDL, READ'; NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged> \connect - user1 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + -- -- Create table is session logged CREATE TABLE public.account @@ -315,11 +377,23 @@ INSERT INTO account (id, name, password, description) -- -- Change permissions of user 1 so that only object logging will be done \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + alter role user1 set pg_audit.log = 'none'; NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged> alter role user1 set pg_audit.role = 'auditor'; NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged> \connect - user1 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + -- -- ROLE class not set, so auditor grants not logged GRANT SELECT (password), @@ -362,11 +436,23 @@ NOTICE: AUDIT: OBJECT,2,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account -- -- Change permissions of user 1 so that session relation logging will be done \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + alter role user1 set pg_audit.log_relation = on; NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged> alter role user1 set pg_audit.log = 'read, WRITE'; NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged> \connect - user1 +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + -- -- Not logged create table ACCOUNT_ROLE_MAP @@ -461,6 +547,12 @@ NOTICE: AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account -- -- Change back to superuser to do exhaustive tests \connect - super +select load_pg_audit(); + load_pg_audit +--------------- + +(1 row) + SET pg_audit.log = 'ALL'; NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged> SET pg_audit.log_level = 'notice'; diff --git a/contrib/pg_audit/sql/pg_audit.sql b/contrib/pg_audit/sql/pg_audit.sql index f6591cca938..0722b96d14b 100644 --- a/contrib/pg_audit/sql/pg_audit.sql +++ b/contrib/pg_audit/sql/pg_audit.sql @@ -19,7 +19,24 @@ create extension pg_audit; CREATE USER super SUPERUSER; ALTER ROLE super SET pg_audit.log = 'Role'; ALTER ROLE super SET pg_audit.log_level = 'notice'; + +CREATE FUNCTION load_pg_audit( ) + RETURNS VOID + LANGUAGE plpgsql +SECURITY DEFINER +AS $function$ +declare +begin +LOAD 'pg_audit'; +end; +$function$; + +-- After each connect, we need to load pg_audit, as if it was +-- being loaded from shared_preload_libraries. Otherwise, the hooks +-- won't be set up and called correctly, leading to lots of ugly +-- errors. \connect - super; +select load_pg_audit(); -- -- Create auditor role @@ -34,6 +51,7 @@ ALTER ROLE user1 SET pg_audit.log_level = 'notice'; -- -- Create, select, drop (select will not be audited) \connect - user1 +select load_pg_audit(); CREATE TABLE public.test (id INT); SELECT * FROM test; DROP TABLE test; @@ -41,6 +59,7 @@ DROP TABLE test; -- -- Create second test user \connect - super +select load_pg_audit(); CREATE USER user2; ALTER ROLE user2 SET pg_audit.log = 'Read, writE'; @@ -50,6 +69,7 @@ ALTER ROLE user2 SET pg_audit.role = auditor; ALTER ROLE user2 SET pg_audit.log_statement_once = ON; \connect - user2 +select load_pg_audit(); CREATE TABLE test2 (id INT); GRANT SELECT ON TABLE public.test2 TO auditor; @@ -149,9 +169,11 @@ UPDATE test3 -- -- Change permissions of user 2 so that only object logging will be done \connect - super +select load_pg_audit(); alter role user2 set pg_audit.log = 'NONE'; \connect - user2 +select load_pg_audit(); -- -- Create test4 and add permissions @@ -222,8 +244,10 @@ DROP TABLE test4; -- -- Change permissions of user 1 so that session logging will be done \connect - super +select load_pg_audit(); alter role user1 set pg_audit.log = 'DDL, READ'; \connect - user1 +select load_pg_audit(); -- -- Create table is session logged @@ -248,9 +272,11 @@ INSERT INTO account (id, name, password, description) -- -- Change permissions of user 1 so that only object logging will be done \connect - super +select load_pg_audit(); alter role user1 set pg_audit.log = 'none'; alter role user1 set pg_audit.role = 'auditor'; \connect - user1 +select load_pg_audit(); -- -- ROLE class not set, so auditor grants not logged @@ -285,9 +311,11 @@ UPDATE account -- -- Change permissions of user 1 so that session relation logging will be done \connect - super +select load_pg_audit(); alter role user1 set pg_audit.log_relation = on; alter role user1 set pg_audit.log = 'read, WRITE'; \connect - user1 +select load_pg_audit(); -- -- Not logged @@ -345,6 +373,7 @@ UPDATE account -- -- Change back to superuser to do exhaustive tests \connect - super +select load_pg_audit(); SET pg_audit.log = 'ALL'; SET pg_audit.log_level = 'notice'; SET pg_audit.log_relation = ON; -- GitLab