Skip logging script statements for create/alter extension.

PostgreSQL reports the statement text for each statement in the script as the entire script text, which can blow up the logs. The create/alter statement will still be logged. Since a superuser is responsible for determining which extensions are available, and in most cases installing them, it should not be necessary to log each statement in the script. Reported by Craig Kerstiens (@craigkerstiens). Reviewed by Joe Conway (@jconway), John Harvey (@crunchyjohn).
pgaudit · Feb 25, 2022 · 30996af · 30996af
1 parent e2f4d30
commit 30996af
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/expected/pgaudit.out b/expected/pgaudit.out
@@ -1273,7 +1273,7 @@ LANGUAGE SQL AS 'SELECT (1/0)::bool';",<none>
 CREATE OPERATOR <> (FUNCTION = my_ne, LEFTARG = text, RIGHTARG = text);
 NOTICE:  AUDIT: SESSION,100,1,DDL,CREATE OPERATOR,,,"CREATE OPERATOR <> (FUNCTION = my_ne, LEFTARG = text, RIGHTARG = text);",<none>
 CREATE EXTENSION IF NOT EXISTS pgaudit;
-NOTICE:  AUDIT: SESSION,101,5,DDL,CREATE EXTENSION,,,CREATE EXTENSION IF NOT EXISTS pgaudit;,<none>
+NOTICE:  AUDIT: SESSION,101,1,DDL,CREATE EXTENSION,,,CREATE EXTENSION IF NOT EXISTS pgaudit;,<none>
 SET pgaudit.log = 'DDL';
 -- Put public schema before pg_catalog to capture unqualified references
 SET search_path = public, pg_catalog;
@@ -1288,6 +1288,18 @@ DROP OPERATOR <> (text, text);
 DROP FUNCTION my_ne(text, text);
 DROP FUNCTION lower(text);
 DROP FUNCTION upper(text);
+-- Create/drop extension. Note that the log level here must be warning because the create extension code will reset any higher log
+-- levels like notice
+SET pgaudit.log = 'all,-misc_set';
+SET pgaudit.log_level = 'warning';
+CREATE EXTENSION pg_stat_statements;
+WARNING:  AUDIT: SESSION,104,1,DDL,CREATE EXTENSION,,,CREATE EXTENSION pg_stat_statements;,<none>
+ALTER EXTENSION pg_stat_statements UPDATE TO '1.8';
+WARNING:  AUDIT: SESSION,105,1,DDL,ALTER EXTENSION,,,ALTER EXTENSION pg_stat_statements UPDATE TO '1.8';,<none>
+NOTICE:  version "1.8" of extension "pg_stat_statements" is already installed
+DROP EXTENSION pg_stat_statements;
+WARNING:  AUDIT: SESSION,106,1,DDL,DROP EXTENSION,,,DROP EXTENSION pg_stat_statements;,<none>
+SET pgaudit.log_level = 'notice';
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';

diff --git a/pgaudit.c b/pgaudit.c
@@ -19,6 +19,7 @@
 #include "catalog/pg_class.h"
 #include "catalog/namespace.h"
 #include "commands/dbcommands.h"
+#include "commands/extension.h"
 #include "catalog/pg_proc.h"
 #include "commands/event_trigger.h"
 #include "executor/executor.h"
@@ -454,6 +455,19 @@ log_audit_event(AuditEventStackItem *stackItem)
     MemoryContext contextOld;
     StringInfoData auditStr;
 
+    /*
+     * Skip logging script statements if an extension is currently being created
+     * or altered. PostgreSQL reports the statement text for each statement in
+     * the script as the entire script text, which can blow up the logs. The
+     * create/alter statement will still be logged.
+     *
+     * Since a superuser is responsible for determining which extensions are
+     * available, and in most cases installing them, it should not be necessary
+     * to log each statement in the script.
+     */
+    if (creating_extension)
+        return;
+
     /* If this event has already been logged don't log it again */
     if (stackItem->auditEvent.logged)
         return;
@@ -1389,6 +1403,18 @@ pgaudit_ProcessUtility_hook(PlannedStmt *pstmt,
             !IsAbortedTransactionBlockState())
             log_audit_event(stackItem);
 
+        /*
+         * If this is a create/alter extension command log it before calling
+         * the next ProcessUtility hook. Otherwise, any warnings will be emitted
+         * before the create/alter is logged and errors will prevent it from
+         * being logged at all.
+         */
+        if (auditLogBitmap & LOG_DDL &&
+            (stackItem->auditEvent.commandTag == T_CreateExtensionStmt ||
+                stackItem->auditEvent.commandTag == T_AlterExtensionStmt) &&
+            !IsAbortedTransactionBlockState())
+            log_audit_event(stackItem);
+
         /*
          * A close will free the open cursor which will also free the close
          * audit entry. Immediately log the close and set stackItem to NULL so

diff --git a/sql/pgaudit.sql b/sql/pgaudit.sql
@@ -889,6 +889,17 @@ DROP FUNCTION my_ne(text, text);
 DROP FUNCTION lower(text);
 DROP FUNCTION upper(text);
 
+-- Create/drop extension. Note that the log level here must be warning because the create extension code will reset any higher log
+-- levels like notice
+SET pgaudit.log = 'all,-misc_set';
+SET pgaudit.log_level = 'warning';
+
+CREATE EXTENSION pg_stat_statements;
+ALTER EXTENSION pg_stat_statements UPDATE TO '1.8';
+DROP EXTENSION pg_stat_statements;
+
+SET pgaudit.log_level = 'notice';
+
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';

diff --git a/test/Dockerfile.rhel b/test/Dockerfile.rhel
@@ -21,7 +21,8 @@ RUN useradd -m -u $UID -g $GID -o -s /bin/bash postgres
 # Install PostgreSQL
 RUN rpm --import http://yum.postgresql.org/RPM-GPG-KEY-PGDG
 RUN rpm -ivh https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
-RUN yum install -y postgresql${PGVERSION?}-server postgresql${PGVERSION?}-devel make gcc openssl-devel llvm-toolset-7-clang llvm5.0
+RUN yum install -y postgresql${PGVERSION?}-server postgresql${PGVERSION?}-devel postgresql${PGVERSION?}-contrib \
+                   make gcc openssl-devel llvm-toolset-7-clang llvm5.0
 
 # Create PostgreSQL cluster
 RUN sudo -u postgres ${PGBIN?}/initdb -A trust -k ${PGDATA?}