[MySQL] Added Agent settings to log original unobfuscated strings (#1…

…2941) * [MySQL] Added Agent settings to log original unobfuscated strings * Adjusted obfuscation error logging to be more consistent
DataDog · Sep 29, 2022 · 61e6c70 · 61e6c70
1 parent d52ab0e
commit 61e6c70
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 8 deletions.
diff --git a/mysql/assets/configuration/spec.yaml b/mysql/assets/configuration/spec.yaml
@@ -603,6 +603,26 @@ files:
                   type: boolean
                   example: true
                   display_default: true
+          - name: log_unobfuscated_queries
+            hidden: true
+            description: |
+              Set to `true` to enable logging of original unobfuscated SQL queries when obfuscation errors occur.
+              For security purposes, it is recommended to use this option for debugging only when requested by Datadog Support.
+              Note: This option only applies when `dbm` is enabled.
+            value:
+              type: boolean
+              example: false
+              display_default: false
+          - name: log_unobfuscated_plans
+            hidden: true
+            description: |
+              Set to `true` to enable logging of original unobfuscated SQL plans when obfuscation errors occur.
+              For security purposes, it is recommended to use this option for debugging only when requested by Datadog Support.
+              Note: This option only applies when `dbm` is enabled.
+            value:
+              type: boolean
+              example: false
+              display_default: false
           - template: instances/default
             overrides:
               disable_generic_tags.hidden: false

diff --git a/mysql/datadog_checks/mysql/activity.py b/mysql/datadog_checks/mysql/activity.py
@@ -205,8 +205,11 @@ def _obfuscate_and_sanitize_row(self, row):
         try:
             self._finalize_row(row, obfuscate_sql_with_metadata(row["sql_text"], self._obfuscator_options))
         except Exception as e:
+            if self._config.log_unobfuscated_queries:
+                self._log.warning("Failed to obfuscate query=[%s] | err=[%s]", row["sql_text"], e)
+            else:
+                self._log.debug("Failed to obfuscate query | err=[%s]", e)
             row["sql_text"] = "ERROR: failed to obfuscate"
-            self._log.debug("Failed to obfuscate | err=[%s]", e)
         return row
 
     @staticmethod

diff --git a/mysql/datadog_checks/mysql/config.py b/mysql/datadog_checks/mysql/config.py
@@ -69,6 +69,8 @@ def __init__(self, instance):
             'collect_commands': is_affirmative(obfuscator_options_config.get('collect_commands', True)),
             'collect_comments': is_affirmative(obfuscator_options_config.get('collect_comments', True)),
         }
+        self.log_unobfuscated_queries = is_affirmative(instance.get('log_unobfuscated_queries', False))
+        self.log_unobfuscated_plans = is_affirmative(instance.get('log_unobfuscated_plans', False))
         self.configuration_checks()
 
     def _build_tags(self, custom_tags):

diff --git a/mysql/datadog_checks/mysql/config_models/defaults.py b/mysql/datadog_checks/mysql/config_models/defaults.py
@@ -70,6 +70,14 @@ def instance_host(field, value):
     return get_default_field_value(field, value)
 
 
+def instance_log_unobfuscated_plans(field, value):
+    return False
+
+
+def instance_log_unobfuscated_queries(field, value):
+    return False
+
+
 def instance_max_custom_queries(field, value):
     return 20
 

diff --git a/mysql/datadog_checks/mysql/config_models/instance.py b/mysql/datadog_checks/mysql/config_models/instance.py
@@ -152,6 +152,8 @@ class Config:
     empty_default_hostname: Optional[bool]
     gcp: Optional[Gcp]
     host: Optional[str]
+    log_unobfuscated_plans: Optional[bool]
+    log_unobfuscated_queries: Optional[bool]
     max_custom_queries: Optional[int]
     metric_patterns: Optional[MetricPatterns]
     min_collection_interval: Optional[float]

diff --git a/mysql/datadog_checks/mysql/statement_samples.py b/mysql/datadog_checks/mysql/statement_samples.py
@@ -491,10 +491,13 @@ def _collect_plan_for_statement(self, row):
         try:
             statement = obfuscate_sql_with_metadata(row['sql_text'], self._obfuscate_options)
             statement_digest_text = obfuscate_sql_with_metadata(row['digest_text'], self._obfuscate_options)
-        except Exception:
-            # do not log the raw sql_text to avoid leaking sensitive data into logs. digest_text is safe as parameters
-            # are obfuscated by the database
-            self._log.debug("Failed to obfuscate statement: %s", row['digest_text'])
+        except Exception as e:
+            # do not log raw sql_text to avoid leaking sensitive data into logs unless log_unobfuscated_queries is set
+            # digest_text is safe as parameters are obfuscated by the database
+            if self._config.log_unobfuscated_queries:
+                self._log.warning("Failed to obfuscate query=[%s] | err=[%s]", row['sql_text'], e)
+            else:
+                self._log.debug("Failed to obfuscate query=[%s] | err=[%s]", row['digest_text'], e)
             self._check.count(
                 "dd.mysql.query_samples.error",
                 1,
@@ -537,8 +540,13 @@ def _collect_plan_for_statement(self, row):
 
         normalized_plan, obfuscated_plan, plan_signature = None, None, None
         if plan:
-            normalized_plan = datadog_agent.obfuscate_sql_exec_plan(plan, normalize=True) if plan else None
-            obfuscated_plan = datadog_agent.obfuscate_sql_exec_plan(plan)
+            try:
+                normalized_plan = datadog_agent.obfuscate_sql_exec_plan(plan, normalize=True) if plan else None
+                obfuscated_plan = datadog_agent.obfuscate_sql_exec_plan(plan)
+            except Exception as e:
+                if self._config.log_unobfuscated_plans:
+                    self._log.warning("Failed to obfuscate plan=[%s] | err=[%s]", plan, e)
+                raise e
             plan_signature = compute_exec_plan_signature(normalized_plan)
 
         query_plan_cache_key = (query_cache_key, plan_signature)

diff --git a/mysql/datadog_checks/mysql/statements.py b/mysql/datadog_checks/mysql/statements.py
@@ -202,7 +202,7 @@ def _normalize_queries(self, rows):
                 statement = obfuscate_sql_with_metadata(row['digest_text'], self._obfuscate_options)
                 obfuscated_statement = statement['query'] if row['digest_text'] is not None else None
             except Exception as e:
-                self.log.warning("Failed to obfuscate query '%s': %s", row['digest_text'], e)
+                self.log.warning("Failed to obfuscate query=[%s] | err=[%s]", row['digest_text'], e)
                 continue
 
             normalized_row['digest_text'] = obfuscated_statement