-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql: extend SQL audit logging to "operations run by admin users" #58334
Comments
cc @thtruo for prioritization - can you remind us if this was part of our preferred customer's asks and whether this should be included in v21.1? |
Yeah this was a request from at least one of our customers. And FWIW the SRE team would find this useful as well. It sounds like your first phase proposal would go a long way in improving that experience. Getting this into v21.1 would be ideal |
@solongordon Can we swap this for #57965 as @RichardJCai's starter project? @thtruo shared that this is needed for 21.1 over the other issue |
Both are important. I would suggest to make Richard aware of both. I can chime in and support with an incidental effort to ensure both get completed. |
Discussed with @aaron-crl and the CC SIAM team:
Once we start pushing users to define custom roles with restricted privileges to do various DBA tasks (principle of least privilege), we expect + want usage of the
admin
special (superuser) role to diminish.In a state-of-the-art deployment, this should be so true that any uses of SQL by the
admin
role should become extremely rare and should be treated as suspicious by security-minded administrator.Therefore, SQL usage by
admin
users should become more noticeable.In the same way that unix system heavily log usage of
sudo
andsu
, we should thus build logging of operations performed by users carrying theadmin
role.The way we'd introduce this is likely in two phases:
in a first phase, we'd start de-emphasizng direct use of the
admin
role in docs, and add a new cluster setting e.g.security.admin_log.enable
which, when enabled, causes alladmin
operations to be logged.in a second phase, create non-
admin
special users/roles in new clusters, encourage users to use that instead, and make the logging setting default to true in new clusters.The text was updated successfully, but these errors were encountered: