Commit 8a2e1edd authored by Stephen Frost's avatar Stephen Frost

Further fixes for the buildfarm for pg_audit

Also, use a function to load the extension ahead of all other calls,
simulating load from shared_libraries_preload, to make sure the
hooks are in place before logging start.
parent c703b1e6
...@@ -6,7 +6,7 @@ OBJS = pg_audit.o ...@@ -6,7 +6,7 @@ OBJS = pg_audit.o
EXTENSION = pg_audit EXTENSION = pg_audit
REGRESS = pg_audit REGRESS = pg_audit
REGRESS_OPTS = --temp-config=$(top_srcdir)/contrib/pg_audit/pg_audit.conf REGRESS_OPTS =
DATA = pg_audit--1.0.0.sql DATA = pg_audit--1.0.0.sql
ifdef USE_PGXS ifdef USE_PGXS
......
...@@ -17,7 +17,27 @@ create extension pg_audit; ...@@ -17,7 +17,27 @@ create extension pg_audit;
CREATE USER super SUPERUSER; CREATE USER super SUPERUSER;
ALTER ROLE super SET pg_audit.log = 'Role'; ALTER ROLE super SET pg_audit.log = 'Role';
ALTER ROLE super SET pg_audit.log_level = 'notice'; ALTER ROLE super SET pg_audit.log_level = 'notice';
CREATE FUNCTION load_pg_audit( )
RETURNS VOID
LANGUAGE plpgsql
SECURITY DEFINER
AS $function$
declare
begin
LOAD 'pg_audit';
end;
$function$;
-- After each connect, we need to load pg_audit, as if it was
-- being loaded from shared_preload_libraries. Otherwise, the hooks
-- won't be set up and called correctly, leading to lots of ugly
-- errors.
\connect - super; \connect - super;
select load_pg_audit();
load_pg_audit
---------------
(1 row)
-- --
-- Create auditor role -- Create auditor role
CREATE ROLE auditor; CREATE ROLE auditor;
...@@ -33,6 +53,12 @@ NOTICE: AUDIT: SESSION,4,1,ROLE,ALTER ROLE,,,ALTER ROLE user1 SET pg_audit.log_ ...@@ -33,6 +53,12 @@ NOTICE: AUDIT: SESSION,4,1,ROLE,ALTER ROLE,,,ALTER ROLE user1 SET pg_audit.log_
-- --
-- Create, select, drop (select will not be audited) -- Create, select, drop (select will not be audited)
\connect - user1 \connect - user1
select load_pg_audit();
load_pg_audit
---------------
(1 row)
CREATE TABLE public.test (id INT); CREATE TABLE public.test (id INT);
NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged> NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged>
SELECT * FROM test; SELECT * FROM test;
...@@ -45,6 +71,12 @@ NOTICE: AUDIT: SESSION,2,1,DDL,DROP TABLE,TABLE,public.test,DROP TABLE test;,<n ...@@ -45,6 +71,12 @@ NOTICE: AUDIT: SESSION,2,1,DDL,DROP TABLE,TABLE,public.test,DROP TABLE test;,<n
-- --
-- Create second test user -- Create second test user
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
CREATE USER user2; CREATE USER user2;
NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged> NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged>
ALTER ROLE user2 SET pg_audit.log = 'Read, writE'; ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
...@@ -58,6 +90,12 @@ NOTICE: AUDIT: SESSION,5,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.role ...@@ -58,6 +90,12 @@ NOTICE: AUDIT: SESSION,5,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.role
ALTER ROLE user2 SET pg_audit.log_statement_once = ON; ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged> NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged>
\connect - user2 \connect - user2
select load_pg_audit();
load_pg_audit
---------------
(1 row)
CREATE TABLE test2 (id INT); CREATE TABLE test2 (id INT);
GRANT SELECT ON TABLE public.test2 TO auditor; GRANT SELECT ON TABLE public.test2 TO auditor;
-- --
...@@ -204,9 +242,21 @@ WARNING: AUDIT: OBJECT,6,1,WRITE,INSERT,TABLE,public.test2,<previously logged>, ...@@ -204,9 +242,21 @@ WARNING: AUDIT: OBJECT,6,1,WRITE,INSERT,TABLE,public.test2,<previously logged>,
-- --
-- Change permissions of user 2 so that only object logging will be done -- Change permissions of user 2 so that only object logging will be done
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
alter role user2 set pg_audit.log = 'NONE'; alter role user2 set pg_audit.log = 'NONE';
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged> NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged>
\connect - user2 \connect - user2
select load_pg_audit();
load_pg_audit
---------------
(1 row)
-- --
-- Create test4 and add permissions -- Create test4 and add permissions
CREATE TABLE test4 CREATE TABLE test4
...@@ -279,9 +329,21 @@ DROP TABLE test4; ...@@ -279,9 +329,21 @@ DROP TABLE test4;
-- --
-- Change permissions of user 1 so that session logging will be done -- Change permissions of user 1 so that session logging will be done
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
alter role user1 set pg_audit.log = 'DDL, READ'; alter role user1 set pg_audit.log = 'DDL, READ';
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged> NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged>
\connect - user1 \connect - user1
select load_pg_audit();
load_pg_audit
---------------
(1 row)
-- --
-- Create table is session logged -- Create table is session logged
CREATE TABLE public.account CREATE TABLE public.account
...@@ -315,11 +377,23 @@ INSERT INTO account (id, name, password, description) ...@@ -315,11 +377,23 @@ INSERT INTO account (id, name, password, description)
-- --
-- Change permissions of user 1 so that only object logging will be done -- Change permissions of user 1 so that only object logging will be done
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
alter role user1 set pg_audit.log = 'none'; alter role user1 set pg_audit.log = 'none';
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged> NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged>
alter role user1 set pg_audit.role = 'auditor'; alter role user1 set pg_audit.role = 'auditor';
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged> NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged>
\connect - user1 \connect - user1
select load_pg_audit();
load_pg_audit
---------------
(1 row)
-- --
-- ROLE class not set, so auditor grants not logged -- ROLE class not set, so auditor grants not logged
GRANT SELECT (password), GRANT SELECT (password),
...@@ -362,11 +436,23 @@ NOTICE: AUDIT: OBJECT,2,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account ...@@ -362,11 +436,23 @@ NOTICE: AUDIT: OBJECT,2,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
-- --
-- Change permissions of user 1 so that session relation logging will be done -- Change permissions of user 1 so that session relation logging will be done
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
alter role user1 set pg_audit.log_relation = on; alter role user1 set pg_audit.log_relation = on;
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged> NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged>
alter role user1 set pg_audit.log = 'read, WRITE'; alter role user1 set pg_audit.log = 'read, WRITE';
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged> NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged>
\connect - user1 \connect - user1
select load_pg_audit();
load_pg_audit
---------------
(1 row)
-- --
-- Not logged -- Not logged
create table ACCOUNT_ROLE_MAP create table ACCOUNT_ROLE_MAP
...@@ -461,6 +547,12 @@ NOTICE: AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account ...@@ -461,6 +547,12 @@ NOTICE: AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
-- --
-- Change back to superuser to do exhaustive tests -- Change back to superuser to do exhaustive tests
\connect - super \connect - super
select load_pg_audit();
load_pg_audit
---------------
(1 row)
SET pg_audit.log = 'ALL'; SET pg_audit.log = 'ALL';
NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged> NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged>
SET pg_audit.log_level = 'notice'; SET pg_audit.log_level = 'notice';
......
...@@ -19,7 +19,24 @@ create extension pg_audit; ...@@ -19,7 +19,24 @@ create extension pg_audit;
CREATE USER super SUPERUSER; CREATE USER super SUPERUSER;
ALTER ROLE super SET pg_audit.log = 'Role'; ALTER ROLE super SET pg_audit.log = 'Role';
ALTER ROLE super SET pg_audit.log_level = 'notice'; ALTER ROLE super SET pg_audit.log_level = 'notice';
CREATE FUNCTION load_pg_audit( )
RETURNS VOID
LANGUAGE plpgsql
SECURITY DEFINER
AS $function$
declare
begin
LOAD 'pg_audit';
end;
$function$;
-- After each connect, we need to load pg_audit, as if it was
-- being loaded from shared_preload_libraries. Otherwise, the hooks
-- won't be set up and called correctly, leading to lots of ugly
-- errors.
\connect - super; \connect - super;
select load_pg_audit();
-- --
-- Create auditor role -- Create auditor role
...@@ -34,6 +51,7 @@ ALTER ROLE user1 SET pg_audit.log_level = 'notice'; ...@@ -34,6 +51,7 @@ ALTER ROLE user1 SET pg_audit.log_level = 'notice';
-- --
-- Create, select, drop (select will not be audited) -- Create, select, drop (select will not be audited)
\connect - user1 \connect - user1
select load_pg_audit();
CREATE TABLE public.test (id INT); CREATE TABLE public.test (id INT);
SELECT * FROM test; SELECT * FROM test;
DROP TABLE test; DROP TABLE test;
...@@ -41,6 +59,7 @@ DROP TABLE test; ...@@ -41,6 +59,7 @@ DROP TABLE test;
-- --
-- Create second test user -- Create second test user
\connect - super \connect - super
select load_pg_audit();
CREATE USER user2; CREATE USER user2;
ALTER ROLE user2 SET pg_audit.log = 'Read, writE'; ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
...@@ -50,6 +69,7 @@ ALTER ROLE user2 SET pg_audit.role = auditor; ...@@ -50,6 +69,7 @@ ALTER ROLE user2 SET pg_audit.role = auditor;
ALTER ROLE user2 SET pg_audit.log_statement_once = ON; ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
\connect - user2 \connect - user2
select load_pg_audit();
CREATE TABLE test2 (id INT); CREATE TABLE test2 (id INT);
GRANT SELECT ON TABLE public.test2 TO auditor; GRANT SELECT ON TABLE public.test2 TO auditor;
...@@ -149,9 +169,11 @@ UPDATE test3 ...@@ -149,9 +169,11 @@ UPDATE test3
-- --
-- Change permissions of user 2 so that only object logging will be done -- Change permissions of user 2 so that only object logging will be done
\connect - super \connect - super
select load_pg_audit();
alter role user2 set pg_audit.log = 'NONE'; alter role user2 set pg_audit.log = 'NONE';
\connect - user2 \connect - user2
select load_pg_audit();
-- --
-- Create test4 and add permissions -- Create test4 and add permissions
...@@ -222,8 +244,10 @@ DROP TABLE test4; ...@@ -222,8 +244,10 @@ DROP TABLE test4;
-- --
-- Change permissions of user 1 so that session logging will be done -- Change permissions of user 1 so that session logging will be done
\connect - super \connect - super
select load_pg_audit();
alter role user1 set pg_audit.log = 'DDL, READ'; alter role user1 set pg_audit.log = 'DDL, READ';
\connect - user1 \connect - user1
select load_pg_audit();
-- --
-- Create table is session logged -- Create table is session logged
...@@ -248,9 +272,11 @@ INSERT INTO account (id, name, password, description) ...@@ -248,9 +272,11 @@ INSERT INTO account (id, name, password, description)
-- --
-- Change permissions of user 1 so that only object logging will be done -- Change permissions of user 1 so that only object logging will be done
\connect - super \connect - super
select load_pg_audit();
alter role user1 set pg_audit.log = 'none'; alter role user1 set pg_audit.log = 'none';
alter role user1 set pg_audit.role = 'auditor'; alter role user1 set pg_audit.role = 'auditor';
\connect - user1 \connect - user1
select load_pg_audit();
-- --
-- ROLE class not set, so auditor grants not logged -- ROLE class not set, so auditor grants not logged
...@@ -285,9 +311,11 @@ UPDATE account ...@@ -285,9 +311,11 @@ UPDATE account
-- --
-- Change permissions of user 1 so that session relation logging will be done -- Change permissions of user 1 so that session relation logging will be done
\connect - super \connect - super
select load_pg_audit();
alter role user1 set pg_audit.log_relation = on; alter role user1 set pg_audit.log_relation = on;
alter role user1 set pg_audit.log = 'read, WRITE'; alter role user1 set pg_audit.log = 'read, WRITE';
\connect - user1 \connect - user1
select load_pg_audit();
-- --
-- Not logged -- Not logged
...@@ -345,6 +373,7 @@ UPDATE account ...@@ -345,6 +373,7 @@ UPDATE account
-- --
-- Change back to superuser to do exhaustive tests -- Change back to superuser to do exhaustive tests
\connect - super \connect - super
select load_pg_audit();
SET pg_audit.log = 'ALL'; SET pg_audit.log = 'ALL';
SET pg_audit.log_level = 'notice'; SET pg_audit.log_level = 'notice';
SET pg_audit.log_relation = ON; SET pg_audit.log_relation = ON;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment