|
| 1 | +/* |
| 2 | +
|
| 3 | +Purpose |
| 4 | +
|
| 5 | +Audit_Star is a database building block that is intended to provide a standard, easy to use mechanism for capturing row-level data changes in your Postgres databases. It is to provide support for those scenarios where we do not already have another auditing mechanism in place (such as historian functionality or special application level events). |
| 6 | +
|
| 7 | +Benefits |
| 8 | +
|
| 9 | +The general benefits of auditing are well known. Aside from capturing a historical perspective of the data, it also provides a mechanism to assist in troubleshooting/debugging certain types of problems/issues (particularly those that can be tied to recent data changes). A secondary benefit includes providing a mechanism to communicate to ETL routines or downstream systems that a change (specifically a "delete") has taken place. |
| 10 | +
|
| 11 | +Some of the benefits that are specific to using this particular approach include the following: |
| 12 | +
|
| 13 | +- There is no maintenance required |
| 14 | +- There is no custom code required |
| 15 | +- The auditing mechanism never breaks, even when columns are added or removed from a table |
| 16 | +- It is easy to apply/deploy |
| 17 | +- It can be configured/customized (if needed) via a simple config file |
| 18 | +
|
| 19 | +How Does it Work? |
| 20 | +
|
| 21 | +This auditing mechanism involves (automatically) generating a number of database components for each table that is to be audited: |
| 22 | +
|
| 23 | +- Audit Table - Each "source" table will have a corresponding audit table (to hold the RECENT history of changes) |
| 24 | +- Audit Trigger - Each source table will have a DML Trigger that propagates the data changes to its audit table |
| 25 | +- Audit View - Each table will have a View that aids in querying/presenting the (JSON) data contained in the audit table |
| 26 | +
|
| 27 | +The schema of the audit tables do NOT match/mirror the source table they are auditing. Rather, the audit tables have a single column that holds a JSON representation of the entire "before" row, and a second column that holds a JSON representation of the diff between the "before" and "after" rows. The audit trigger handles creating the JSON representation of the changes, and inserting it into the audit table. The trigger also handle creating new audit table partitions as needed. The audit view converts the JSON back to a row-based representation of the data changes, so that the changes are easier to review. The view also stitches together certain data from the source table (as in the case of initial inserts). |
| 28 | +
|
| 29 | +Deployment |
| 30 | +
|
| 31 | +
|
| 32 | +HStore Extension |
| 33 | +
|
| 34 | +The auditing solution is built on top of the HStore data type in Postgres. Hence, the HStore Extension must be installed in the database. |
| 35 | +
|
| 36 | +
|
| 37 | + CREATE EXTENSION hstore with schema public; |
| 38 | +
|
| 39 | +
|
| 40 | +Be sure that the extension is bubbled down to staging and development environments. Otherwise the migrations builds/tests will fail. |
| 41 | +
|
| 42 | +Run time parameters |
| 43 | +
|
| 44 | +The auditing solution uses PostgreSQL runtime parameters to pass metadata such as who made the change from the app to the audit system. The parameters currently used now are `audit_star.changed_by` and `audit_star.changed_reason`. These are defaults that must be set at the database level, usually to an empty string. |
| 45 | +
|
| 46 | +
|
| 47 | + ALTER DATABASE <your-db-name> SET audit_star.changed_by TO ''; |
| 48 | + ALTER DATABASE <your-db-name> SET audit_star.change_reason TO ''; |
| 49 | +
|
| 50 | +
|
| 51 | +Be sure that the setting is bubbled down to staging and development environments. Otherwise the migrations builds/tests will fail. |
| 52 | +
|
| 53 | +Before using audit_star, database-specific configuration must be made to the ```audit.yml``` |
| 54 | +file. By default, audit_star will look in the current directory from which it is |
| 55 | +being executed, but the optional parameter ```-cfg``` allows the user to provide |
| 56 | +an alternative path to the ```audit.yml``` file. |
| 57 | +
|
| 58 | +The database-specific configuration along with accepted values are detailed in the |
| 59 | +example file provided in `audit.yml` (copied below). |
| 60 | +
|
| 61 | +
|
| 62 | + database config information |
| 63 | + host: database host name |
| 64 | + post: database port number; postgres default is 5432 |
| 65 | + db_name: database_name (name of the db to audit) |
| 66 | + username: database username used to connect |
| 67 | + password: databsase password used to connect |
| 68 | +
|
| 69 | + audit star config information |
| 70 | + excluded_tables: |
| 71 | + - exclude this_schema.this_table |
| 72 | + excluded_schemas: |
| 73 | + - exclude_this_schema |
| 74 | + owner: app__owner (only audit tables owned by this user, if not specified will audit *every* table it can) |
| 75 | + log_client_query: false (toggle logging of query that caused the change) |
| 76 | + security: definer/invoker (security level of audit function - usually definer on release to avoid race conditions with defining permissions) |
| 77 | +
|
| 78 | +
|
| 79 | +Installation |
| 80 | +
|
| 81 | +The preferred way to deploy Go binaries is using `go get` and `go install`. |
| 82 | +Optionally, you can clone the repo manually into your $GOPATH and run `go build`. |
| 83 | +
|
| 84 | +Since audit_star is written in [Go](https://golang.org/), in order to build audit_star you must have Go |
| 85 | +installed on your machine. Alternatively, you can build the binary on one machine |
| 86 | +and then copy the binary to a machine, as needed, before invoking it, assuming the |
| 87 | +machines share the same architecture. Go also supports [cross-compilation](https://dave.cheney.net/2012/09/08/an-introduction-to-cross-compilation-with-go) |
| 88 | +which allows you to build the binary on a machine with one architecture and run |
| 89 | +it on a machine with a completely different architecture. |
| 90 | +
|
| 91 | + Using `go get` (preferred) |
| 92 | +You can download audit_star by running `go get github.com/enova/audit_star`. |
| 93 | +This will download audit_star into your $GOPATH and install the binary into your $GOPATH/bin folder. |
| 94 | +If your $GOPATH/bin folder is in your $PATH then you can run audit_star from anywhere by executing `audit_star`. |
| 95 | +
|
| 96 | + Building with ```go build``` |
| 97 | +After cloning the git repo, ```cd``` into the directory and run ```go build```. Assuming your Go is set up properly, this will create an ```audit_star``` binary in the current directly. You can then execute this binary by executing ```./audit_star```. |
| 98 | +
|
| 99 | +Testing |
| 100 | +
|
| 101 | +Audit Star tests use seprate configuration and db migration |
| 102 | +
|
| 103 | +Usage |
| 104 | +
|
| 105 | +Install pgmgr |
| 106 | +
|
| 107 | + go get github.com/rnubel/pgmgr |
| 108 | +
|
| 109 | +Resetting DB and Run migration |
| 110 | +
|
| 111 | + pgmgr db drop || true |
| 112 | + pgmgr db create |
| 113 | + pgmgr db migrate |
| 114 | +
|
| 115 | +
|
| 116 | +Run tests |
| 117 | +
|
| 118 | + go test ./... |
| 119 | +
|
| 120 | +Note |
| 121 | +
|
| 122 | +Since the purpose of audit_star is to audit a database, in order to test this |
| 123 | +functionality, the provided tests create a test database by running the migration |
| 124 | +contained within the ```db/migrate``` folder. The migration was created and is |
| 125 | +run using the [pgmgr Go migration tool](https://github.com/rnubel/pgmgr). So while |
| 126 | +pgmgr is a dependency for the tests, it is not of dependency of audit_star itself. |
| 127 | +*/ |
| 128 | +package main |
| 129 | + |
| 130 | +/**/ |
0 commit comments