Skip to content

Commit 8a2e1ed

Browse files
sfrostsfrost
committed
Further fixes for the buildfarm for pg_audit
Also, use a function to load the extension ahead of all other calls, simulating load from shared_libraries_preload, to make sure the hooks are in place before logging start.
1 parent c703b1e commit 8a2e1ed

File tree

3 files changed

+122
-1
lines changed

3 files changed

+122
-1
lines changed

contrib/pg_audit/Makefile

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ OBJS = pg_audit.o
66

77
EXTENSION = pg_audit
88
REGRESS = pg_audit
9-
REGRESS_OPTS = --temp-config=$(top_srcdir)/contrib/pg_audit/pg_audit.conf
9+
REGRESS_OPTS =
1010
DATA = pg_audit--1.0.0.sql
1111

1212
ifdef USE_PGXS

contrib/pg_audit/expected/pg_audit.out

+92
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,27 @@ create extension pg_audit;
1717
CREATE USER super SUPERUSER;
1818
ALTER ROLE super SET pg_audit.log = 'Role';
1919
ALTER ROLE super SET pg_audit.log_level = 'notice';
20+
CREATE FUNCTION load_pg_audit( )
21+
RETURNS VOID
22+
LANGUAGE plpgsql
23+
SECURITY DEFINER
24+
AS $function$
25+
declare
26+
begin
27+
LOAD 'pg_audit';
28+
end;
29+
$function$;
30+
-- After each connect, we need to load pg_audit, as if it was
31+
-- being loaded from shared_preload_libraries. Otherwise, the hooks
32+
-- won't be set up and called correctly, leading to lots of ugly
33+
-- errors.
2034
\connect - super;
35+
select load_pg_audit();
36+
load_pg_audit
37+
---------------
38+
39+
(1 row)
40+
2141
--
2242
-- Create auditor role
2343
CREATE ROLE auditor;
@@ -33,6 +53,12 @@ NOTICE: AUDIT: SESSION,4,1,ROLE,ALTER ROLE,,,ALTER ROLE user1 SET pg_audit.log_
3353
--
3454
-- Create, select, drop (select will not be audited)
3555
\connect - user1
56+
select load_pg_audit();
57+
load_pg_audit
58+
---------------
59+
60+
(1 row)
61+
3662
CREATE TABLE public.test (id INT);
3763
NOTICE: AUDIT: SESSION,1,1,DDL,CREATE TABLE,TABLE,public.test,CREATE TABLE public.test (id INT);,<not logged>
3864
SELECT * FROM test;
@@ -45,6 +71,12 @@ NOTICE: AUDIT: SESSION,2,1,DDL,DROP TABLE,TABLE,public.test,DROP TABLE test;,<n
4571
--
4672
-- Create second test user
4773
\connect - super
74+
select load_pg_audit();
75+
load_pg_audit
76+
---------------
77+
78+
(1 row)
79+
4880
CREATE USER user2;
4981
NOTICE: AUDIT: SESSION,1,1,ROLE,CREATE ROLE,,,CREATE USER user2;,<not logged>
5082
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
@@ -58,6 +90,12 @@ NOTICE: AUDIT: SESSION,5,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.role
5890
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
5991
NOTICE: AUDIT: SESSION,6,1,ROLE,ALTER ROLE,,,ALTER ROLE user2 SET pg_audit.log_statement_once = ON;,<not logged>
6092
\connect - user2
93+
select load_pg_audit();
94+
load_pg_audit
95+
---------------
96+
97+
(1 row)
98+
6199
CREATE TABLE test2 (id INT);
62100
GRANT SELECT ON TABLE public.test2 TO auditor;
63101
--
@@ -204,9 +242,21 @@ WARNING: AUDIT: OBJECT,6,1,WRITE,INSERT,TABLE,public.test2,<previously logged>,
204242
--
205243
-- Change permissions of user 2 so that only object logging will be done
206244
\connect - super
245+
select load_pg_audit();
246+
load_pg_audit
247+
---------------
248+
249+
(1 row)
250+
207251
alter role user2 set pg_audit.log = 'NONE';
208252
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user2 set pg_audit.log = 'NONE';,<not logged>
209253
\connect - user2
254+
select load_pg_audit();
255+
load_pg_audit
256+
---------------
257+
258+
(1 row)
259+
210260
--
211261
-- Create test4 and add permissions
212262
CREATE TABLE test4
@@ -279,9 +329,21 @@ DROP TABLE test4;
279329
--
280330
-- Change permissions of user 1 so that session logging will be done
281331
\connect - super
332+
select load_pg_audit();
333+
load_pg_audit
334+
---------------
335+
336+
(1 row)
337+
282338
alter role user1 set pg_audit.log = 'DDL, READ';
283339
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'DDL, READ';",<not logged>
284340
\connect - user1
341+
select load_pg_audit();
342+
load_pg_audit
343+
---------------
344+
345+
(1 row)
346+
285347
--
286348
-- Create table is session logged
287349
CREATE TABLE public.account
@@ -315,11 +377,23 @@ INSERT INTO account (id, name, password, description)
315377
--
316378
-- Change permissions of user 1 so that only object logging will be done
317379
\connect - super
380+
select load_pg_audit();
381+
load_pg_audit
382+
---------------
383+
384+
(1 row)
385+
318386
alter role user1 set pg_audit.log = 'none';
319387
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log = 'none';,<not logged>
320388
alter role user1 set pg_audit.role = 'auditor';
321389
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.role = 'auditor';,<not logged>
322390
\connect - user1
391+
select load_pg_audit();
392+
load_pg_audit
393+
---------------
394+
395+
(1 row)
396+
323397
--
324398
-- ROLE class not set, so auditor grants not logged
325399
GRANT SELECT (password),
@@ -362,11 +436,23 @@ NOTICE: AUDIT: OBJECT,2,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
362436
--
363437
-- Change permissions of user 1 so that session relation logging will be done
364438
\connect - super
439+
select load_pg_audit();
440+
load_pg_audit
441+
---------------
442+
443+
(1 row)
444+
365445
alter role user1 set pg_audit.log_relation = on;
366446
NOTICE: AUDIT: SESSION,1,1,ROLE,ALTER ROLE,,,alter role user1 set pg_audit.log_relation = on;,<not logged>
367447
alter role user1 set pg_audit.log = 'read, WRITE';
368448
NOTICE: AUDIT: SESSION,2,1,ROLE,ALTER ROLE,,,"alter role user1 set pg_audit.log = 'read, WRITE';",<not logged>
369449
\connect - user1
450+
select load_pg_audit();
451+
load_pg_audit
452+
---------------
453+
454+
(1 row)
455+
370456
--
371457
-- Not logged
372458
create table ACCOUNT_ROLE_MAP
@@ -461,6 +547,12 @@ NOTICE: AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,"UPDATE account
461547
--
462548
-- Change back to superuser to do exhaustive tests
463549
\connect - super
550+
select load_pg_audit();
551+
load_pg_audit
552+
---------------
553+
554+
(1 row)
555+
464556
SET pg_audit.log = 'ALL';
465557
NOTICE: AUDIT: SESSION,1,1,MISC,SET,,,SET pg_audit.log = 'ALL';,<not logged>
466558
SET pg_audit.log_level = 'notice';

contrib/pg_audit/sql/pg_audit.sql

+29
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,24 @@ create extension pg_audit;
1919
CREATE USER super SUPERUSER;
2020
ALTER ROLE super SET pg_audit.log = 'Role';
2121
ALTER ROLE super SET pg_audit.log_level = 'notice';
22+
23+
CREATE FUNCTION load_pg_audit( )
24+
RETURNS VOID
25+
LANGUAGE plpgsql
26+
SECURITY DEFINER
27+
AS $function$
28+
declare
29+
begin
30+
LOAD 'pg_audit';
31+
end;
32+
$function$;
33+
34+
-- After each connect, we need to load pg_audit, as if it was
35+
-- being loaded from shared_preload_libraries. Otherwise, the hooks
36+
-- won't be set up and called correctly, leading to lots of ugly
37+
-- errors.
2238
\connect - super;
39+
select load_pg_audit();
2340

2441
--
2542
-- Create auditor role
@@ -34,13 +51,15 @@ ALTER ROLE user1 SET pg_audit.log_level = 'notice';
3451
--
3552
-- Create, select, drop (select will not be audited)
3653
\connect - user1
54+
select load_pg_audit();
3755
CREATE TABLE public.test (id INT);
3856
SELECT * FROM test;
3957
DROP TABLE test;
4058

4159
--
4260
-- Create second test user
4361
\connect - super
62+
select load_pg_audit();
4463

4564
CREATE USER user2;
4665
ALTER ROLE user2 SET pg_audit.log = 'Read, writE';
@@ -50,6 +69,7 @@ ALTER ROLE user2 SET pg_audit.role = auditor;
5069
ALTER ROLE user2 SET pg_audit.log_statement_once = ON;
5170

5271
\connect - user2
72+
select load_pg_audit();
5373
CREATE TABLE test2 (id INT);
5474
GRANT SELECT ON TABLE public.test2 TO auditor;
5575

@@ -149,9 +169,11 @@ UPDATE test3
149169
--
150170
-- Change permissions of user 2 so that only object logging will be done
151171
\connect - super
172+
select load_pg_audit();
152173
alter role user2 set pg_audit.log = 'NONE';
153174

154175
\connect - user2
176+
select load_pg_audit();
155177

156178
--
157179
-- Create test4 and add permissions
@@ -222,8 +244,10 @@ DROP TABLE test4;
222244
--
223245
-- Change permissions of user 1 so that session logging will be done
224246
\connect - super
247+
select load_pg_audit();
225248
alter role user1 set pg_audit.log = 'DDL, READ';
226249
\connect - user1
250+
select load_pg_audit();
227251

228252
--
229253
-- Create table is session logged
@@ -248,9 +272,11 @@ INSERT INTO account (id, name, password, description)
248272
--
249273
-- Change permissions of user 1 so that only object logging will be done
250274
\connect - super
275+
select load_pg_audit();
251276
alter role user1 set pg_audit.log = 'none';
252277
alter role user1 set pg_audit.role = 'auditor';
253278
\connect - user1
279+
select load_pg_audit();
254280

255281
--
256282
-- ROLE class not set, so auditor grants not logged
@@ -285,9 +311,11 @@ UPDATE account
285311
--
286312
-- Change permissions of user 1 so that session relation logging will be done
287313
\connect - super
314+
select load_pg_audit();
288315
alter role user1 set pg_audit.log_relation = on;
289316
alter role user1 set pg_audit.log = 'read, WRITE';
290317
\connect - user1
318+
select load_pg_audit();
291319

292320
--
293321
-- Not logged
@@ -345,6 +373,7 @@ UPDATE account
345373
--
346374
-- Change back to superuser to do exhaustive tests
347375
\connect - super
376+
select load_pg_audit();
348377
SET pg_audit.log = 'ALL';
349378
SET pg_audit.log_level = 'notice';
350379
SET pg_audit.log_relation = ON;

0 commit comments

Comments
 (0)