Update audit log exclusions for galera system users

Previously galera-agent@loopback and cluster-health-logger@loopback were excluded to avoid spamming the audit logs. Now that they connect over a unix socket this exclusion must be updated to be "galer-agent@localhost" and "cluster-health-logger@localhost" respectively. [#177349859](https://www.pivotaltracker.com/story/show/177349859)
cloudfoundry · Apr 14, 2021 · 32154b1 · 32154b1
1 parent 39fa997
commit 32154b1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/jobs/pxc-mysql/templates/my.cnf.erb b/jobs/pxc-mysql/templates/my.cnf.erb
@@ -13,7 +13,7 @@
 
   def excluded_audit_users
     users = p('engine_config.audit_logs.audit_log_exclude_accounts') + csv_excluded_audit_users
-    ["'galera-agent'@'127.0.0.1'", "'cluster-health-logger'@'127.0.0.1'"] + users.collect {|user| "'#{user}'@'%'"}
+    ["'galera-agent'@'localhost'", "'cluster-health-logger'@'localhost'"] + users.collect {|user| "'#{user}'@'%'"}
   end
 
   def bool_to_on_off(boolean)

diff --git a/spec/pxc_spec.rb b/spec/pxc_spec.rb
@@ -100,6 +100,18 @@
         }
       }}
 
+      context 'when audit logs are enabled' do
+        before do
+            spec["engine_config"]["audit_logs"] = { "enabled" => true }
+        end
+
+        it 'excludes system accounts from the audit logs' do
+          tpl_output = template.render(spec, consumes: links)
+          expect(tpl_output).to match(/audit_log_exclude_accounts\s*=.*'galera-agent'@'localhost'.*/)
+          expect(tpl_output).to match(/audit_log_exclude_accounts\s*=.*'cluster-health-logger'@'localhost'.*/)
+        end
+      end
+
       it 'do nothing if read_write_permissions specified' do
         spec["engine_config"]["read_write_permissions"] = "super_read_only"
         tpl_output = template.render(spec, consumes: links)