Bug #47059 In audit plugin I cannot see the event subclasses, e.g.MYSQL_AUDIT_GENERAL_ERROR
Submitted: 2 Sep 2009 11:05 Modified: 30 Apr 2010 1:14
Reporter: Horst Hunger Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:azalea OS:Any
Assigned to: Sergey Vojtovich CPU Architecture:Any
Tags: audit, plugin

[2 Sep 2009 11:05] Horst Hunger
Description:
Using the audit plugin interface, I onlc get the event class MYSQL_AUDIT_GENERAL_CLASS (= 0) though some subclasses have been specified:
MYSQL_AUDIT_GENERAL_LOG, MYSQL_AUDIT_GENERAL_ERROR and MYSQL_AUDIT_GENERAL_RESULT.
That depends on the implementation of "st_mysql_audit", especially the parameters of "event_notify". The question is, why does this function not have mysql_event_general as parameter?

How to repeat:
run the following statements:

INSTALL PLUGIN null_audit SONAME 'adt_null.so';
CREATE TABLE t1 (c1 int, c2 char(20));
INSERT INTO t1 VALUES (1,'a'),(2,'b'),(3,'c');
SELECT * FROM t1;
DROP TABLE t1;
show status like 'audit_null_called';
UNINSTALL PLUGIN null_audit ;

with the attached audit_null.c file (it contains DBUG). But it into 
.../plugin/audit_null  
and execute make.
[2 Sep 2009 11:07] Horst Hunger
audit_null source file

Attachment: audit_null.c (text/x-csrc), 3.70 KiB.

[3 Sep 2009 9:59] Sveta Smirnova
Thank you for the report.

What is the expected result of the test?

I get:

INSTALL PLUGIN null_audit SONAME 'adt_null.so';
CREATE TABLE t1 (c1 int, c2 char(20));
INSERT INTO t1 VALUES (1,'a'),(2,'b'),(3,'c');
SELECT * FROM t1;
c1      c2
1       a
2       b
3       c
DROP TABLE t1;
show status like 'audit_null_called';
Variable_name   Value
audit_null_called       10
UNINSTALL PLUGIN null_audit ;
Warnings:
Warning 1620    Plugin is busy and will be uninstalled on shutdown
[4 Sep 2009 7:37] Horst Hunger
The purpose of the test is to show quickly that audit_null as short example for an audit plugin is working. It also allows to generate a trace to follow the calls and see the poorness of the interface.
The criticism of that bug is the poorness of that interface for audit plugins.
[4 Sep 2009 8:47] Sveta Smirnova
Thank you for the feedback.

Verified as described:

T@4    : | | >audit_null_notify
T@4    : | | | event_class        : : 0
T@4    : | | | number_of_calls    : : 7
T@4    : | | <audit_null_notify
...
T@4    : | | >audit_null_notify
T@4    : | | | event_class        : : 0
T@4    : | | | number_of_calls    : : 8
T@4    : | | <audit_null_notify
...
[9 Sep 2009 14:47] Sergei Golubchik
I don't remember any specific reason why it wasn't added.
If it's simply an omission (and it looks like a one), we can add it easily.
[5 Mar 2010 20:23] Paul Dubois
re: "That depends on the implementation of "st_mysql_audit",
especially the parameters of "event_notify". The question is, why
does this function not have mysql_event_general as parameter?"

1) The notify function actually *does* get a mysql_event_general
parameter, even though the notify function prototype specifies a
mysql_event.  sql_audit.cc:general_class_handler() takes all the
parameters passed to it, packages them into a mysql_event_general
structure, and passes that structure to the notify function (cast
as a mysql_event structure):

/**
  MYSQL_AUDIT_GENERAL_CLASS handler

  @param[in] thd
  @param[in] event_subtype
  @param[in] error_code
  @param[in] ap

*/

static void general_class_handler(THD *thd, uint event_subtype, va_list ap)
{
  mysql_event_general event;
  event.event_class= MYSQL_AUDIT_GENERAL_CLASS;
  event.general_error_code= va_arg(ap, int);
  event.general_thread_id= thd ? thd->thread_id : 0;
  event.general_time= va_arg(ap, time_t);
  event.general_user= va_arg(ap, const char *);
  event.general_user_length= va_arg(ap, unsigned int);
  event.general_command= va_arg(ap, const char *);
  event.general_command_length= va_arg(ap, unsigned int);
  event.general_query= va_arg(ap, const char *);
  event.general_query_length= va_arg(ap, unsigned int);
  event.general_charset= va_arg(ap, struct charset_info_st *);
  event.general_rows= (unsigned long long) va_arg(ap, ha_rows);
  event_class_dispatch(thd, (const mysql_event*) &event);
}

event_class_dispatch routes the call to the notify function.

2) The event subtype *is* passed to general_class_handler().
However, you can see that nothing is done with it, so this is where
it's lost.

Looks like we'd need these changes:

1) Change the definition of mysql_event_general to add an 
event_class_subtype member.

2) Modify general_class_handler to initialize event_class_subtype 
from its event_subtype parameter.
[10 Mar 2010 10:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/102841

3117 Sergey Vojtovich	2010-03-10
      BUG#47059 - In audit plugin I cannot see the event subclasses,
                  e.g.MYSQL_AUDIT_GENERAL_ERROR
      
      General audit API (MYSQL_AUDIT_GENERAL_CLASS) didn't expose event
      subtype to plugins.
      
      This patch exposes event subtype to plugins via
      struct mysql_event_general::event_subtype.
      
      This change is not compatible with existing general audit plugins.
      Audit interface major version has been incremented.
     @ include/mysql/plugin_audit.h
        Expose event subtype to audit general plugins.
     @ plugin/audit_null/audit_null.c
        Added distinct counters for general event sub-types.
        
        Removed printf() from deinit(). One can easily see number of
        calls via status variables.
        
        To make code nicer, modified class mask to use macro instead
        of hardcoded number.
        
        Incremented audit plugin minor version.
     @ sql/sql_audit.cc
        Expose event subtype to audit general plugins.
[22 Mar 2010 12:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/103972

3117 Sergey Vojtovich	2010-03-22
      BUG#47059 - In audit plugin I cannot see the event subclasses,
                  e.g.MYSQL_AUDIT_GENERAL_ERROR
      
      General audit API (MYSQL_AUDIT_GENERAL_CLASS) didn't expose event
      subtype to plugins.
      
      This patch exposes event subtype to plugins via
      struct mysql_event_general::event_subtype.
      
      This change is not compatible with existing general audit plugins.
      Audit interface major version has been incremented.
     @ include/mysql/plugin_audit.h
        Expose event subtype to audit general plugins.
     @ plugin/audit_null/audit_null.c
        Added distinct counters for general event sub-types.
        
        Removed printf() from deinit(). One can easily see number of
        calls via status variables.
        
        To make code nicer, modified class mask to use macro instead
        of hardcoded number.
        
        Incremented audit plugin minor version.
     @ sql/sql_audit.cc
        Expose event subtype to audit general plugins.
[1 Apr 2010 16:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104929

3117 Sergey Vojtovich	2010-04-01
      BUG#47059 - In audit plugin I cannot see the event subclasses,
                  e.g.MYSQL_AUDIT_GENERAL_ERROR
      
      General audit API (MYSQL_AUDIT_GENERAL_CLASS) didn't expose event
      subtype to plugins.
      
      This patch exposes event subtype to plugins via
      struct mysql_event_general::event_subtype.
      
      This change is not compatible with existing general audit plugins.
      Audit interface major version has been incremented.
     @ include/mysql/plugin_audit.h
        Expose event subtype to audit general plugins.
     @ plugin/audit_null/audit_null.c
        Added distinct counters for general event sub-types.
        
        Removed printf() from deinit(). One can easily see number of
        calls via status variables.
        
        To make code nicer, modified class mask to use macro instead
        of hardcoded number.
        
        Incremented audit plugin minor version.
     @ sql/sql_audit.cc
        Expose event subtype to audit general plugins.
[15 Apr 2010 9:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/105697

3117 Sergey Vojtovich	2010-04-15
      BUG#47059 - In audit plugin I cannot see the event subclasses,
                  e.g.MYSQL_AUDIT_GENERAL_ERROR
      
      General audit API (MYSQL_AUDIT_GENERAL_CLASS) didn't expose event
      subclass to plugins.
      
      This patch exposes event subclass to plugins via
      struct mysql_event_general::event_subclass.
      
      This change is not compatible with existing general audit plugins.
      Audit interface major version has been incremented.
     @ include/mysql/plugin_audit.h
        Expose event subclass to audit general plugins.
     @ plugin/audit_null/audit_null.c
        Added distinct counters for general event sub-classes.
        
        Removed printf() from deinit(). One can easily see number of
        calls via status variables.
        
        To make code nicer, modified class mask to use macro instead
        of hardcoded number.
        
        Incremented audit plugin minor version.
     @ sql/sql_audit.cc
        Expose event subclass to audit general plugins.
[27 Apr 2010 9:46] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100427094135-5s49ecp3ckson6e2) (version source revid:alik@sun.com-20100427093843-uekr85qkd7orx12t) (merge vers: 6.0.14-alpha) (pib:16)
[27 Apr 2010 9:48] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100427093804-a2k3rrjpwu5jegu8) (version source revid:alik@sun.com-20100427093804-a2k3rrjpwu5jegu8) (merge vers: 5.5.5-m3) (pib:16)
[27 Apr 2010 9:51] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100427094036-38frbg3famdlvjup) (version source revid:alik@sun.com-20100427093825-92wc8b22d4yg34ju) (pib:16)
[30 Apr 2010 1:14] Paul Dubois
Noted in 5.5.5, 6.0.14 changelogs.

For events of MYSQL_AUDIT_GENERAL_CLASS, the event subtype was not
passed to audit plugins even though the server passed the subtype to 
the plugin handler. The subtype is now available through the
following changes:

* The struct mysql_event_general structure has a new event_subtype
  member.

* The new member changes the interface, so the audit plugin interface
  version, MYSQL_AUDIT_INTERFACE_VERSION, has been incremented from
  0x0100 to 0x0200. Plugins that require access to the new member
  should check that the version is 0x0200 or higher.

The example plugin in the plugin/audit_null directory has been
modified to count events of each subtype, based on the event_subtype
value. See http://dev.mysql.com/doc/refman/5.5/en/writing-audit-plugins.html.