Audit data changes PostgreSQL

image

There arose a need to audit data changes in the existing system.

Requirements:


the
    the
  • Easy to enable/disable logging for individual tables.
    • the
  • to minimize changes to the existing functions of the database.
    • the
  • to Minimize the performance degradation.

First thought was to add in loggerhome table field _user, _create_date, _delete_date.

For operations INSERT, UPDATE, DELETE triggers the hang of working with these fields.
When a record is added to fill the field _user and _create_date.

Instead of updating, make a copy of the row being updated (with changed values), and in the updated row to fill in the field _delete_date.

Instead of deleting the recording to fill in the field _delete_date.

When referring to the table in block WHERE you need to add _delete_date IS NULL.

This mechanism could work if it was built in the architecture of the database initially, but by the time of implementation of the logging was written more than 3000 functions, each of which would have had to make changes.

Then came the idea to store the logs separately from the data. The idea was the following:
In the scheme of logs creates a copy of the table structure plus a few service fields.

Each loggorhea table hung a trigger that does all the dirty work to preserve the changed data.

trigger Code
CREATE OR REPLACE FUNCTION logs.tf_log_table()
RETURNS trigger AS
$BODY$
DECLARE
query text;
safe_table_name text;
BEGIN
SELECT quote_ident(nspname||'.'||relname)
FROM pg_class cl INNER JOIN pg_namespace nsp ON (cl.relnamespace=nsp.oid)
WHERE cl.oid=TG_RELID INTO safe_table_name;

query='INSERT INTO logs.'||safe_table_name||' SELECT ($1).*, now(),$2,session_user;';

IF (TG_OP = 'DELETE')
THEN
EXECUTE query using the OLD,'D';
RETURN OLD;
ELSIF (TG_OP = 'UPDATE') THEN
EXECUTE query using the OLD'U';
RETURN NEW;
ELSIF (TG_OP = 'INSERT') THEN
EXECUTE query using the NEW'I';
RETURN NEW;
END IF;

/*If the table log is not created or its structure differs from the current one, then re-create it, and again, trying to  write  down data*/
EXCEPTION
WHEN SQLSTATE '42P01' OR SQLSTATE '42801' OR SQLSTATE '42804' THEN
PERFORM logs.create_log_tables(TG_RELID::regclass);
IF (TG_OP = 'DELETE') THEN
EXECUTE query using the OLD,'D';
RETURN OLD;
ELSIF (TG_OP = 'UPDATE') THEN
EXECUTE query using the OLD'U';
RETURN NEW;
ELSIF (TG_OP = 'INSERT') THEN
EXECUTE query using the NEW'I';
RETURN NEW;
END IF;
/* If something else, ignore the error and return the standard reply*/
WHEN OTHERS then
IF (TG_OP = 'DELETE') THEN RETURN OLD;
ELSE RETURN NEW;
END IF;
END;
$BODY$
LANGUAGE plpgsql VOLATILE SECURITY DEFINER;



In this trigger there are some designs peculiar only to plpgsql, I will try to paint them in more detail.

SELECT quote_ident(nspname||'.'||relname)
FROM pg_class cl INNER JOIN pg_namespace nsp ON (cl.relnamespace=nsp.oid)
WHERE cl.oid=TG_RELID INTO safe_table_name;

TG_RELID special variable that exists only when triggered, trigger a function, it stores the ID of the table that caused the trigger.
With her help, we generated the table name, which will be written logs.

query='INSERT INTO logs.'||safe_table_name||' SELECT ($1).*, now(),$2,session_user;';

To insert data using dynamic SQL.
In place of the variable $1 is populated from the data from the line that triggered the trigger (there is substituted the entire the entire string, it must be deployed on separate fields — this is done by construction (ROW).*
now() — a function that returns time the transaction started.
session_user — the username of the current session

IF (TG_OP = 'DELETE')
THEN
EXECUTE query USING the OLD,'D';

TG_OP — another variable that exists only in trigger functions, it holds the name of the operation which triggered the trigger (INSERT, UPDATE, DELETE or TRUNCATE)
OLD, NEW — these variables store the old and new version string.

Further, in case if something goes wrong, provides a fairly simple error handling:
EXCEPTION
WHEN SQLSTATE '42P01' OR SQLSTATE '42801' OR SQLSTATE '42804' THEN
PERFORM logs.create_log_tables(TG_RELID::regclass);

If you have changed the table structure, or for some reason, the table log was not created, it is created again and attempt to record it in the log.

Code for the function connect logging
CREATE OR REPLACE FUNCTION logs.create_log_tables(table_oid oid) RETURNS int AS $BODY$
DECLARE

log_namespace oid=(SELECT oid from pg_namespace WHERE nspname='logs');
p_relname text;
new_tbl_name text;
safe_table_name text;

BEGIN

SELECT relname FROM pg_class WHERE oid=table_oid INTO p_relname;
SELECT quote_ident(nspname||'.'||relname) FROM pg_class cl inner  join  pg_namespace nsp ON (cl.relnamespace=nsp.oid) where cl.oid=table_oid INTO safe_table_name;
/*Generate a new name for the table*/

SELECT safe_table_name||'_'||(now()::date)::text||'('||i||')' FROM generate_series(1,10) a(i)
WHERE safe_table_name||'_'||(now()::date)::text||'('||i||')' not in(select relname from pg_class where relnamespace=log_namespace and relpersistence='p')
ORDER BY i LIMIT 1 INTO new_tbl_name;

/*Rename the old table with the logs*/
EXECUTE 'ALTER TABLE IF EXISTS logs.'||safe_table_name|| ' RENAME TO '||quote_ident(new_tbl_name)||';';

/*Create a table with the same structure as loggerhead, plus service fields*/
EXECUTE 'create table logs.'||safe_table_name||' (like '||table_oid::regclass||');';

EXECUTE 'ALTER TABLE logs.'||safe_table_name||' ADD COLUMN "'||p_relname||'_timestamp" timestamp with time zone;';
EXECUTE 'ALTER TABLE logs.'||safe_table_name||' ADD COLUMN "'||p_relname||'_operation" char;';
EXECUTE 'ALTER TABLE logs.'||safe_table_name||' ADD COLUMN "'||p_relname||'_user" text;';


/*Plug-in trigger*/
EXECUTE '
DROP TRIGGER IF exists tr_log_table ON '||table_oid::regclass::text||';
CREATE TRIGGER tr_log_table
BEFORE UPDATE OR DELETE OR INSERT
ON '||table_oid::regclass::text||'
FOR EACH ROW
EXECUTE PROCEDURE logs.tf_log_table();';

RETURN 0;
end;
$BODY$ LANGUAGE plpgsql VOLATILE SECURITY DEFINER;


The algorithm of connection logging is quite simple. For starters based on the name loggerodeo table creates a clone of it (if the table with the same name already existed, the old table is renamed), then this clone can be added service fields, and loggerhead the table is connected to the trigger.

Advantages of this option are:


the
    the
  • you do Not need to change anything in existing functionality.
    • the
  • select Query does not suffer in performance.
    • the
  • changes in the structure bloggerwave table table logs will be automatically re-generated.

    • the Logs can be quickly cleaned by removing the old table.

Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Templates ESKD and GOST 7.32 for Lyx 1.6.x

Изображение
for more than six months I use a word processor Lyx. Built-in templates is more than enough to write lecture notes, prepare for seminars and to do simple reports for laboratory work. But last semester I had to make two course of the project in accordance with the requirements ESKD. I have begun work in Lyx, but without special templates of documents, my reports in the editor looked like this: A little work, a little reading of the document "Customizing LyX: Features for the Advanced User" and it turned out where the beam: You can use immediately. If you have experience of working in Lyx, problems will not arise. Just in case the attached sample documents. Description of how to make such templates are not yet doing. Someone will ask — will tell. ESKD Screenshot menu select unit type: Group "sections and subsections" appeared due to the fact that the document can be sections with sections without subsections — for their handling of para...
Далее...

Monitoring PostgreSQL + php-fpm + nginx + disk using Zabbix

Изображение
a Lot of information in the network according to Zabbix, and a lot of bespoke templates, I want to introduce to the audience his modification. Zabbix is a very convenient and flexible monitoring tool. Want a hundred monitor, I want a thousand stations, and do not want to — watch a single server, take the cream in all sections. I would not mind to give to github, if anyone collects similar. It so happened that we decided to put on the hosting database wrapper php-fpm+nginx. As the database is postgres. Thoughts to collect data on the machine was before the purchase of hosting is needed, this is useful! Magic kick up the backside to the implementation of the system gave the brakes a hard drive on our VDS stations at the beginning of the script every minute, put the time and measured by the speed in the file, and then build graphs in Excel to compare to as it was/became, take quantitative statistics. And this is just one option! And suddenly the fault is not VDS, and our a...
Далее...

Custom table in MODx Revolution

Изображение
In this article we will examine the following questions: the Creating custom tables for MODx Revolution. the Generation of XML schema and php files classes for xPDO. the Work with custom tables. One of the biggest difficulties in migrating from Evolution to Revolution — an xPDO IMHO. After all, as was previously just got into the muscle via phpMyAdmin, created a sign, and work with it, sending pure SQL queries through $modx->db. Now any changes to the database do not much bother $modx except full drop tables, etc. As linked xPDO and MODx (or rather $modx), I wrote here . Consider the difficulties in working with custom tables in MODx Revolution — a considerable obstacle for many programmers. But really, it's not so difficult. All of the following, the algorithm in three words: the via phpMyAdmin (or other convenient tool to use) to create the needed tables the Using the attached code is generated for the necessary work xPDO files the Using the $...
Далее...