Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor: remove sensitive information in slow-log and statement (#18107) #18130

Merged
merged 2 commits into from
Jun 19, 2020
Merged

executor: remove sensitive information in slow-log and statement (#18107) #18130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7a1f875
cherry pick #18107 to release-4.0
crazycs520 Jun 19, 2020
775aef5
fix conflict
crazycs520 Jun 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions executor/adapter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -805,7 +805,7 @@ func (a *ExecStmt) LogSlowQuery(txnTS uint64, succ bool, hasMoreResults bool) {
level := log.GetLevel()
cfg := config.GetGlobalConfig()
costTime := time.Since(sessVars.StartTime) + sessVars.DurationParse
threshold := time.Duration(cfg.Log.SlowThreshold) * time.Millisecond
threshold := time.Duration(atomic.LoadUint64(&cfg.Log.SlowThreshold)) * time.Millisecond
enable := cfg.Log.EnableSlowLog
// if the level is Debug, print slow logs anyway
if (!enable || costTime < threshold) && level > zapcore.DebugLevel {
Expand All @@ -815,6 +815,8 @@ func (a *ExecStmt) LogSlowQuery(txnTS uint64, succ bool, hasMoreResults bool) {
normalizedSQL, digest := sessVars.StmtCtx.SQLDigest()
if sessVars.EnableSlowLogMasking {
sql = FormatSQL(normalizedSQL, nil)
} else if sensitiveStmt, ok := a.StmtNode.(ast.SensitiveStmtNode); ok {
sql = FormatSQL(sensitiveStmt.SecureText(), nil)
} else {
sql = FormatSQL(a.Text, sessVars.PreparedParams)
}
Expand Down Expand Up @@ -959,10 +961,13 @@ func (a *ExecStmt) SummaryStmt(succ bool) {
execDetail := stmtCtx.GetExecDetails()
copTaskInfo := stmtCtx.CopTasksDetails()
memMax := stmtCtx.MemTracker.MaxConsumed()

sql := a.Text
if sensitiveStmt, ok := a.StmtNode.(ast.SensitiveStmtNode); ok {
sql = sensitiveStmt.SecureText()
}
stmtsummary.StmtSummaryByDigestMap.AddStatement(&stmtsummary.StmtExecInfo{
SchemaName: strings.ToLower(sessVars.CurrentDB),
OriginalSQL: a.Text,
OriginalSQL: sql,
NormalizedSQL: normalizedSQL,
Digest: digest,
PrevSQL: prevSQL,
Expand Down
30 changes: 30 additions & 0 deletions executor/executor_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"math"
"net"
"os"
"path"
"strconv"
"strings"
"sync"
Expand Down Expand Up @@ -5813,3 +5814,32 @@ func (s *testSuite1) TestDIVZeroInPartitionExpr(c *C) {
tk.MustExec("set @@sql_mode='STRICT_ALL_TABLES,ERROR_FOR_DIVISION_BY_ZERO'")
tk.MustGetErrCode("insert into t1 values (NULL), (0), (1)", mysql.ErrDivisionByZero)
}

func (s *testSuite) TestSlowQuerySensitiveQuery(c *C) {
tk := testkit.NewTestKit(c, s.store)
originCfg := config.GetGlobalConfig()
newCfg := *originCfg
newCfg.Log.SlowQueryFile = path.Join(os.TempDir(), "tidb-slow.log")
config.StoreGlobalConfig(&newCfg)
defer func() {
tk.MustExec("set tidb_slow_log_threshold=300;")
config.StoreGlobalConfig(originCfg)
os.Remove(newCfg.Log.SlowQueryFile)
}()
err := logutil.InitLogger(newCfg.Log.ToLogConfig())
c.Assert(err, IsNil)

tk.MustExec("set tidb_slow_log_threshold=0;")
tk.MustExec("drop user if exists user_sensitive;")
tk.MustExec("create user user_sensitive identified by '123456789';")
tk.MustExec("alter user 'user_sensitive'@'%' identified by 'abcdefg';")
tk.MustExec("set password for 'user_sensitive'@'%' = 'xyzuvw';")
tk.MustQuery("select query from `information_schema`.`slow_query` " +
"where (query like 'set password%' or query like 'create user%' or query like 'alter user%') " +
"and query like '%user_sensitive%' order by query;").
Check(testkit.Rows(
"alter user {user_sensitive@% password = ***};",
"create user {user_sensitive@% password = ***};",
"set password for user user_sensitive@%;",
))
}
19 changes: 19 additions & 0 deletions infoschema/tables_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1247,6 +1247,25 @@ func (s *testTableSuite) TestStmtSummaryPreparedStatements(c *C) {
where digest_text like "select ?"`).Check(testkit.Rows("1"))
}

func (s *testTableSuite) TestStmtSummarySensitiveQuery(c *C) {
tk := s.newTestKitWithRoot(c)
tk.MustExec("set global tidb_enable_stmt_summary = 0")
tk.MustExec("set global tidb_enable_stmt_summary = 1")
tk.MustExec("drop user if exists user_sensitive;")
tk.MustExec("create user user_sensitive identified by '123456789';")
tk.MustExec("alter user 'user_sensitive'@'%' identified by 'abcdefg';")
tk.MustExec("set password for 'user_sensitive'@'%' = 'xyzuvw';")
tk.MustQuery("select query_sample_text from `information_schema`.`STATEMENTS_SUMMARY` " +
"where query_sample_text like '%user_sensitive%' and " +
"(query_sample_text like 'set password%' or query_sample_text like 'create user%' or query_sample_text like 'alter user%') " +
"order by query_sample_text;").
Check(testkit.Rows(
"alter user {user_sensitive@% password = ***}",
"create user {user_sensitive@% password = ***}",
"set password for user user_sensitive@%",
))
}

func (s *testTableSuite) TestPerformanceSchemaforPlanCache(c *C) {
orgEnable := plannercore.PreparedPlanCacheEnabled()
defer func() {
Expand Down