MDEV-35511: Backport fix for Audit log not reporting user in Galera cluster

Setting a nae for the the THD::security_ctx:user field for wsrep applier threads.
With this, the audit log events related to wsrep applying will be written in the
audit log.

Using user name <cluster user> for wsrep appliers. This is for having identical
look with async replication, which uses: <replication_user> user name.
Another option for <cluster user> could be e.g. <wsrep user>. Hoever, using galera
for user name is not a good pick, as the cluster may have (and soon will have)
other GCS backends.

Using same approach as async replication to replace the security_ctx user name
with "system user" for processlist output.

Commit has also mtr test galera.MDEV-35511, to vevrify wsrep applier audit logging.
The test does not install/uninstall audit log plugin, bu loads the audit log plugin
before the test. This is because uninstalling the audit log plugin gives a warning
saying that plugin is busy and uninstall will be delayed until server shutdown.
This anomaly must be because of the applier thread being active audit logger.
Same problem with plugin unsinstall happens also with async relication workers.
If plugn remains installed, the post test sanity check will complain of mismatching
state of pre and post test states.

Author: mariadb-RuchaDeodhar

mysql-test/suite/galera/r/MDEV-35511.result

@@ -0,0 +1,22 @@
+connection node_2;
+connection node_1;
+connection node_2;
+SET GLOBAL server_audit_logging=ON;
+connection node_1;
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (1);
+connection node_2;
+# Now checking the audit log
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'SET GLOBAL server_audit_logging=ON',0
+TIME,HOSTNAME,<cluster applier>,,ID,ID,CREATE,test,t1,
+TIME,HOSTNAME,<cluster applier>,,ID,ID,WRITE,test,t1,
+TIME,HOSTNAME,root,localhost,ID,ID,READ,test,t1,
+TIME,HOSTNAME,root,localhost,ID,ID,READ,mysql,table_stats,
+TIME,HOSTNAME,root,localhost,ID,ID,READ,mysql,column_stats,
+TIME,HOSTNAME,root,localhost,ID,ID,READ,mysql,index_stats,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'SELECT COUNT(*) = 1 FROM test.t1',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'SELECT @@datadir',0
+# resetting the test state
+SET GLOBAL server_audit_logging=DEFAULT;
+connection node_1;
+DROP TABLE t1;

mysql-test/suite/galera/t/MDEV-35511.opt

@@ -0,0 +1 @@
+--plugin-load=server_audit

mysql-test/suite/galera/t/MDEV-35511.test

@@ -0,0 +1,34 @@
+--source include/galera_cluster.inc
+
+if (!$SERVER_AUDIT_SO) {
+    skip No SERVER_AUDIT plugin;
+}
+
+# enable audit loggin in node 2
+--connection node_2
+SET GLOBAL server_audit_logging=ON;
+
+# replicate CREATE and INSERT, these should be seen in the audit log
+--connection node_1
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (1);
+
+--connection node_2
+# make sure that the INSERT has been applied
+--let $wait_condition = SELECT COUNT(*) = 1 FROM test.t1;
+--source include/wait_condition.inc
+
+--echo # Now checking the audit log
+let $MYSQLD_DATADIR= `SELECT @@datadir`;
+--replace_regex /[0-9]* [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\,[^,]*\,/TIME,HOSTNAME,/ /\,[1-9][0-9]*\,/,1,/ /\,[1-9][0-9]*/,ID/
+cat_file $MYSQLD_DATADIR/server_audit.log;
+
+--echo # resetting the test state
+SET GLOBAL server_audit_logging=DEFAULT;
+
+--connection node_1
+DROP TABLE t1;
+
+#UNINSTALL PLUGIN server_audit;
+
+remove_file $MYSQLD_DATADIR/server_audit.log;

sql/mysqld.cc

@@ -297,7 +297,8 @@ static TYPELIB tc_heuristic_recover_typelib=
 
 const char *first_keyword= "first";
 const char *my_localhost= "localhost",
-           *delayed_user= "delayed", *slave_user= "<replication_slave>";
+           *delayed_user= "delayed", *slave_user= "<replication_slave>",
+           *cluster_user= "<cluster applier>";
 
 bool opt_large_files= sizeof(my_off_t) > 4;
 static my_bool opt_autocommit; ///< for --autocommit command-line option

sql/mysqld.h

@@ -263,7 +263,7 @@ extern time_t server_start_time, flush_status_time;
 extern char *opt_mysql_tmpdir, mysql_charsets_dir[];
 extern size_t mysql_unpacked_real_data_home_len;
 extern MYSQL_PLUGIN_IMPORT MY_TMPDIR mysql_tmpdir_list;
-extern const char *first_keyword, *delayed_user, *slave_user;
+extern const char *first_keyword, *delayed_user, *slave_user, *cluster_user;
 extern MYSQL_PLUGIN_IMPORT const char  *my_localhost;
 extern MYSQL_PLUGIN_IMPORT const char **errmesg;			/* Error messages */
 extern const char *myisam_recover_options_str;

sql/sql_class.h

@@ -1602,7 +1602,7 @@ class Security_context {
   bool check_access(const privilege_t want_access, bool match_any = false);
   bool is_priv_user(const char *user, const char *host);
   bool is_user_defined() const
-    { return user && user != delayed_user && user != slave_user; };
+    { return user && user != delayed_user && user != slave_user && user != cluster_user; };
 };
 
 

sql/sql_show.cc

@@ -2803,7 +2803,9 @@ static my_bool list_callback(THD *tmp, list_callback_arg *arg)
 
     thd_info->thread_id=tmp->thread_id;
     thd_info->os_thread_id=tmp->os_thread_id;
-    thd_info->user= arg->thd->strdup(tmp_sctx->user && tmp_sctx->user != slave_user ?
+    thd_info->user= arg->thd->strdup(tmp_sctx->user &&
+                                     (tmp_sctx->user != slave_user &&
+                                      tmp_sctx->user != cluster_user) ?
                                        tmp_sctx->user :
                                        (tmp->system_thread ?
                                          "system user" : "unauthenticated user"));
@@ -3256,8 +3258,9 @@ static my_bool processlist_callback(THD *tmp, processlist_callback_arg *arg)
   /* ID */
   arg->table->field[0]->store((longlong) tmp->thread_id, TRUE);
   /* USER */
-  val= tmp_sctx->user && tmp_sctx->user != slave_user ? tmp_sctx->user :
-        (tmp->system_thread ? "system user" : "unauthenticated user");
+  val= tmp_sctx->user && (tmp_sctx->user != slave_user &&
+       tmp_sctx->user != cluster_user) ? tmp_sctx->user :
+       (tmp->system_thread ? "system user" : "unauthenticated user");
   arg->table->field[1]->store(val, strlen(val), cs);
   /* HOST */
   if (tmp->peer_port && (tmp_sctx->host || tmp_sctx->ip) &&

sql/wsrep_mysqld.cc

@@ -3801,6 +3801,7 @@ void* start_wsrep_THD(void *arg)
 
   thd->system_thread= SYSTEM_THREAD_SLAVE_SQL;
   thd->security_ctx->skip_grants();
+  thd->security_ctx->user = (char *)cluster_user;
 
   /* handle_one_connection() again... */
   thd->mark_connection_idle();