Bug #81591 Audit Log Filtering user is compared against USER() not CURRENT_USER()
Submitted: 25 May 2016 10:19 Modified: 20 Jun 2016 18:24
Reporter: Marek Szymczak Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Audit Severity:S3 (Non-critical)
Version:5.7.12 OS:Any
Assigned to: CPU Architecture:Any

[25 May 2016 10:19] Marek Szymczak
Description:
Audit log filtering user matching is made on USER() data not CURRENT_USER(), which represents account user/host.

Additionally on connect failure, priv_user, priv_host does not carry failed account user/host data.

How to repeat:
mysql> CREATE USER 'audit_log_user';
mysql> GRANT ALL ON *.* TO 'audit_log_user';
mysql> SELECT audit_log_filter_set_filter(‘all_enabled’, ‘{ “filter”: { “log”: true } }’) AS ‘Result’;
mysql> SELECT audit_log_filter_set_user('audit_log_user@%', 'all_enabled') AS 'Result';

Suggested fix:
Account user / host should be taken from priv_user and priv_host.
[20 Jun 2016 18:23] Paul Dubois
Posted by developer:
 
Noted in 5.6.32, 5.7.14 changelogs.

Audit log filtering against the user was performing comparisons
against USER(), not CURRENT_USER().
[20 Jun 2016 18:24] Paul Dubois
Posted by developer:
 
Noted in 5.6.32, 5.7.14 changelogs.

Audit log filtering against the user was performing comparisons
against USER(), not CURRENT_USER().
[22 Jun 2016 13:04] Paul Dubois
Posted by developer:
 
Correction: Push to 5.6.32 is a partial patch only. Noted only in 5.7.14 changelog.