Merge cockroachdb#107282

craig[bot] · yuzefovich · craig[bot] · commit 73f51aac2ddb · 2023-07-21T20:04:02.000Z
107282: sql: do not audit internal executors r=yuzefovich a=yuzefovich

Previously, we were using `planner.isInternalPlanner` to check whether audit logging should be applied, but that field is not set for internal executors, and I believe IE should be excluded from audit too.

Epic: None

Release note: None

Co-authored-by: Yahor Yuzefovich &lt;yahor@cockroachlabs.com&gt;
diff --git a/pkg/sql/audit_logging.go b/pkg/sql/audit_logging.go
@@ -39,9 +39,9 @@ func (p *planner) maybeAuditSensitiveTableAccessEvent(
 	)
 }
 
-func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context) {
+func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context, execType executorType) {
 	// Avoid doing audit work if not necessary.
-	if p.shouldNotRoleBasedAudit() {
+	if p.shouldNotRoleBasedAudit(execType) {
 		return
 	}
 
@@ -114,10 +114,16 @@ func (p *planner) initializeReducedAuditConfig(ctx context.Context) {
 	p.reducedAuditConfig.AuditSetting = p.AuditConfig().GetMatchingAuditSetting(userRoles, user)
 }
 
-// shouldNotRoleBasedAudit checks if we should do any auditing work for RoleBasedAuditEvents.
-func (p *planner) shouldNotRoleBasedAudit() bool {
+// shouldNotRoleBasedAudit checks if we should do any auditing work for
+// RoleBasedAuditEvents.
+func (p *planner) shouldNotRoleBasedAudit(execType executorType) bool {
 	// Do not do audit work if role-based auditing is not enabled.
-	// Do not emit audit events for reserved users/roles. This does not omit the root user.
+	// Do not emit audit events for reserved users/roles. This does not omit the
+	// root user.
 	// Do not emit audit events for internal planners.
-	return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) || p.User().IsReserved() || p.isInternalPlanner
+	// Do not emit audit events for internal executors.
+	return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) ||
+		p.User().IsReserved() ||
+		p.isInternalPlanner ||
+		execType == executorTypeInternal
 }
diff --git a/pkg/sql/exec_log.go b/pkg/sql/exec_log.go
@@ -131,7 +131,7 @@ func (p *planner) maybeLogStatement(
 	queryStats *topLevelQueryStats,
 	statsCollector sqlstats.StatsCollector,
 ) {
-	p.maybeAuditRoleBasedAuditEvent(ctx)
+	p.maybeAuditRoleBasedAuditEvent(ctx, execType)
 	p.maybeLogStatementInternal(ctx, execType, isCopy, numRetries, txnCounter,
 		rows, bulkJobId, err, queryReceived, hasAdminRoleCache,
 		telemetryLoggingMetrics, stmtFingerprintID, queryStats, statsCollector,

Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,9 @@ func (p *planner) maybeAuditSensitiveTableAccessEvent(`
`39`	`39`	`)`
`40`	`40`	`}`
`41`	`41`
`42`		`-func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context) {`
	`42`	`+func (p *planner) maybeAuditRoleBasedAuditEvent(ctx context.Context, execType executorType) {`
`43`	`43`	`// Avoid doing audit work if not necessary.`
`44`		`- if p.shouldNotRoleBasedAudit() {`
	`44`	`+ if p.shouldNotRoleBasedAudit(execType) {`
`45`	`45`	`return`
`46`	`46`	`}`
`47`	`47`
`@@ -114,10 +114,16 @@ func (p *planner) initializeReducedAuditConfig(ctx context.Context) {`
`114`	`114`	`p.reducedAuditConfig.AuditSetting = p.AuditConfig().GetMatchingAuditSetting(userRoles, user)`
`115`	`115`	`}`
`116`	`116`
`117`		`-// shouldNotRoleBasedAudit checks if we should do any auditing work for RoleBasedAuditEvents.`
`118`		`-func (p *planner) shouldNotRoleBasedAudit() bool {`
	`117`	`+// shouldNotRoleBasedAudit checks if we should do any auditing work for`
	`118`	`+// RoleBasedAuditEvents.`
	`119`	`+func (p *planner) shouldNotRoleBasedAudit(execType executorType) bool {`
`119`	`120`	`// Do not do audit work if role-based auditing is not enabled.`
`120`		`- // Do not emit audit events for reserved users/roles. This does not omit the root user.`
	`121`	`+ // Do not emit audit events for reserved users/roles. This does not omit the`
	`122`	`+ // root user.`
`121`	`123`	`// Do not emit audit events for internal planners.`
`122`		`- return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) \|\| p.User().IsReserved() \|\| p.isInternalPlanner`
	`124`	`+ // Do not emit audit events for internal executors.`
	`125`	`+ return !auditlogging.UserAuditEnabled(p.execCfg.Settings, p.EvalContext().ClusterID) \|\|`
	`126`	`+ p.User().IsReserved() \|\|`
	`127`	`+ p.isInternalPlanner \|\|`
	`128`	`+ execType == executorTypeInternal`
`123`	`129`	`}`