forked from TencentBlueKing/blueking-dbm
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(mysql): mysql权限检查库 TencentBlueKing#8871
- Loading branch information
Showing
32 changed files
with
163,334 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 34 additions & 33 deletions
67
dbm-services/mysql/db-tools/mysql-monitor/items-config.sql
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
168 changes: 168 additions & 0 deletions
168
dbm-services/mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/checker.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,168 @@ | ||
package privcheck | ||
|
||
import ( | ||
"dbm-services/common/go-pubpkg/cmutil" | ||
"dbm-services/common/go-pubpkg/reportlog" | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/config" | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/internal/cst" | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/internal/checker" | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/monitoriteminterface" | ||
"fmt" | ||
"log/slog" | ||
"os" | ||
"path/filepath" | ||
"time" | ||
|
||
"github.com/jmoiron/sqlx" | ||
"github.com/pkg/errors" | ||
) | ||
|
||
var name = "priv-check" | ||
|
||
type Checker struct { | ||
db *sqlx.DB | ||
az *checker.Analyzer | ||
} | ||
|
||
type reportType struct { | ||
BkBizId int `json:"bk_biz_id"` | ||
BkCloudId int `json:"bk_cloud_id"` | ||
ClusterDomain string `json:"cluster_domain"` | ||
MachineType string `json:"machine_type"` | ||
Ip string `json:"ip"` | ||
Port int `json:"port"` | ||
ReportTime time.Time `json:"report_time"` | ||
*checker.PrivErrorInfo | ||
} | ||
|
||
func (c *Checker) Run() (msg string, err error) { | ||
privs, err := c.showAllPrivileges() | ||
if err != nil { | ||
slog.Error("show all privs", slog.String("err", err.Error())) | ||
return "", err | ||
} | ||
|
||
for _, priv := range privs { | ||
c.az.AddPrivSQLString(priv) | ||
} | ||
|
||
report := c.az.Check(true) | ||
|
||
privCheckReportBaseDir := filepath.Join(cst.DBAReportBase, "mysql/privcheck") | ||
err = os.MkdirAll(privCheckReportBaseDir, os.ModePerm) | ||
if err != nil { | ||
slog.Error("create priv check report dir", slog.String("err", err.Error())) | ||
return "", err | ||
} | ||
|
||
resultReport, err := reportlog.NewReporter(privCheckReportBaseDir, "report.log", nil) | ||
if err != nil { | ||
slog.Error("create priv check report", slog.String("err", err.Error())) | ||
return "", err | ||
} | ||
reportTs := cmutil.TimeToSecondPrecision(time.Now()) | ||
|
||
for _, r := range report { | ||
resultReport.Println(reportType{ | ||
BkBizId: config.MonitorConfig.BkBizId, | ||
BkCloudId: *config.MonitorConfig.BkCloudID, | ||
ClusterDomain: config.MonitorConfig.ImmuteDomain, | ||
MachineType: config.MonitorConfig.MachineType, | ||
Ip: config.MonitorConfig.Ip, | ||
Port: config.MonitorConfig.Port, | ||
ReportTime: reportTs, | ||
PrivErrorInfo: r, | ||
}) | ||
} | ||
|
||
return "", nil | ||
} | ||
|
||
func (c *Checker) showAllPrivileges() (privs []string, err error) { | ||
rows, err := c.db.Queryx(`SELECT user, host FROM mysql.user`) | ||
if err != nil { | ||
slog.Error("list user host", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "list user host") | ||
} | ||
defer func() { | ||
_ = rows.Close() | ||
}() | ||
|
||
for rows.Next() { | ||
var user, host string | ||
err = rows.Scan(&user, &host) | ||
if err != nil { | ||
slog.Error("scan user host", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "scan user host") | ||
} | ||
|
||
res, err := c.showPrivileges(user, host) | ||
if err != nil { | ||
slog.Error( | ||
"show one user grants", | ||
slog.String("user", user), | ||
slog.String("host", host), | ||
slog.String("err", err.Error()), | ||
) | ||
} | ||
|
||
privs = append(privs, res...) | ||
} | ||
if err := rows.Err(); err != nil { | ||
slog.Error("iterate user host", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "iterate user host") | ||
} | ||
|
||
return privs, nil | ||
} | ||
|
||
func (c *Checker) showPrivileges(user, host string) (privs []string, err error) { | ||
var version float32 | ||
err = c.db.QueryRowx(`SELECT SUBSTRING_INDEX(@@version, ".", 2)`).Scan(&version) | ||
if err != nil { | ||
slog.Error("get version", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "get version") | ||
} | ||
|
||
if version > 5.5 { | ||
var createUserRes []string | ||
err = c.db.Select( | ||
&createUserRes, | ||
fmt.Sprintf(`SHOW CREATE USER '%s'@'%s'`, user, host), | ||
) | ||
if err != nil { | ||
slog.Error("get create user", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "get create user") | ||
} | ||
|
||
privs = append(privs, createUserRes...) | ||
} | ||
|
||
var grantsRes []string | ||
err = c.db.Select( | ||
&grantsRes, | ||
fmt.Sprintf(`SHOW GRANTS FOR '%s'@'%s'`, user, host), | ||
) | ||
if err != nil { | ||
slog.Error("get grants", slog.String("err", err.Error())) | ||
return nil, errors.Wrap(err, "get grants") | ||
} | ||
|
||
privs = append(privs, grantsRes...) | ||
return privs, nil | ||
} | ||
|
||
func (c *Checker) Name() string { | ||
return name | ||
} | ||
|
||
func NewChecker(cc *monitoriteminterface.ConnectionCollect) monitoriteminterface.MonitorItemInterface { | ||
return &Checker{ | ||
db: cc.MySqlDB, | ||
az: checker.NewAnalyzer(), | ||
} | ||
} | ||
|
||
func Register() (string, monitoriteminterface.MonitorItemConstructorFuncType) { | ||
return name, NewChecker | ||
} |
81 changes: 81 additions & 0 deletions
81
.../mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/internal/checker/add_priv_sql.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
package checker | ||
|
||
import ( | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/internal/listener" | ||
"dbm-services/mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/internal/parsing" | ||
|
||
"github.com/antlr4-go/antlr/v4" | ||
) | ||
|
||
func (c *Analyzer) AddPrivSQLString(sql string) { | ||
in := antlr.NewInputStream(sql) | ||
lexer := parsing.NewMySqlLexer(in) | ||
stream := antlr.NewCommonTokenStream(lexer, 0) | ||
p := parsing.NewMySqlParser(stream) | ||
tree := p.Root() | ||
l := listener.NewPrivListener(stream) | ||
antlr.ParseTreeWalkerDefault.Walk(l, tree) | ||
|
||
c.addUserSummary(l) | ||
} | ||
|
||
func (c *Analyzer) addUserSummary(l *listener.PrivListener) { | ||
if !l.IsGrantPriv && !l.IsCreateUser { | ||
return | ||
} | ||
|
||
if _, ok := c.userPrivSummaries[l.Username]; !ok { | ||
c.userPrivSummaries[l.Username] = &userPrivSummary{ | ||
Username: l.Username, | ||
} | ||
} | ||
|
||
if l.IsCreateUser { | ||
return | ||
} | ||
|
||
c.addHostSummary(l, c.userPrivSummaries[l.Username]) | ||
} | ||
|
||
func (c *Analyzer) addHostSummary(l *listener.PrivListener, userSummary *userPrivSummary) { | ||
if userSummary.HostPrivSummaries == nil { | ||
userSummary.HostPrivSummaries = make(map[string]*hostPrivSummary) | ||
} | ||
|
||
if _, ok := userSummary.HostPrivSummaries[l.Host]; !ok { | ||
userSummary.HostPrivSummaries[l.Host] = &hostPrivSummary{ | ||
Host: l.Host, | ||
Password: l.Password, | ||
} | ||
} | ||
|
||
c.addDBSummary(l, userSummary.HostPrivSummaries[l.Host]) | ||
} | ||
|
||
func (c *Analyzer) addDBSummary(l *listener.PrivListener, hostSummary *hostPrivSummary) { | ||
if hostSummary.DBPrivSummaries == nil { | ||
hostSummary.DBPrivSummaries = make(map[string]*dbPrivSummary) | ||
} | ||
|
||
if _, ok := hostSummary.DBPrivSummaries[l.DBName]; !ok { | ||
hostSummary.DBPrivSummaries[l.DBName] = &dbPrivSummary{ | ||
DBName: l.DBName, | ||
WithGrantOption: l.WithGrantOption, | ||
} | ||
} | ||
|
||
c.addTableSummary(l, hostSummary.DBPrivSummaries[l.DBName]) | ||
} | ||
|
||
func (c *Analyzer) addTableSummary(l *listener.PrivListener, dbSummary *dbPrivSummary) { | ||
if dbSummary.TablePrivSummaries == nil { | ||
dbSummary.TablePrivSummaries = make(map[string]*tablePrivSummary) | ||
} | ||
|
||
if _, ok := dbSummary.TablePrivSummaries[l.TableName]; !ok { | ||
dbSummary.TablePrivSummaries[l.TableName] = &tablePrivSummary{ | ||
TableName: l.TableName, | ||
Privileges: l.Privileges, | ||
} | ||
} | ||
} |
29 changes: 29 additions & 0 deletions
29
...ervices/mysql/db-tools/mysql-monitor/pkg/itemscollect/privcheck/internal/checker/check.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package checker | ||
|
||
const ( | ||
PrivErrorHostConflict = "host_conflict" | ||
PrivErrorDBConflict = "db_conflict" | ||
PrivErrorPasswordNotMatch = "password_not_match" | ||
PrivErrorWithGrantOptionNotMatch = "with_grant_option_not_match" | ||
PrivErrorGrantToDifferentDB = "grant_to_different_db" | ||
PrivErrorGrantToDifferentTable = "grant_to_different_table" | ||
PrivErrorPrivilegesNotMatch = "privileges_not_match" | ||
) | ||
|
||
type PrivErrorInfo struct { | ||
ErrorType string `json:"error_type"` | ||
Object1 string `json:"object1"` | ||
Object2 string `json:"object2"` | ||
Msg string `json:"msg"` | ||
} | ||
|
||
func (c *Analyzer) Check(deep bool) (res []*PrivErrorInfo) { | ||
c.deep = deep | ||
for userName, userSummary := range c.userPrivSummaries { | ||
if !IsSystemUser(userName) { | ||
res = append(res, c.checkUser(userSummary)...) | ||
} | ||
} | ||
|
||
return res | ||
} |
Oops, something went wrong.