|
2 | 2 |
|
3 | 3 | Datalayers 提供数据库操作审计能力,可记录用户对数据库的查询、修改等操作。审计日志以文件形式存储,每条记录采用 `JSON` 格式,便于后续查询与分析。 |
4 | 4 |
|
| 5 | +::: tip |
5 | 6 | Datalayers 采用事件开始前记录审计日志的方式,审计日志的记录数有可能多于实际操作完成数。 |
| 7 | +::: |
6 | 8 |
|
7 | 9 | ## 开启审计日志 |
8 | 10 |
|
9 | | -审计日志功能默认关闭,需要在配置文件中进行启用和配置: |
10 | | - |
11 | | -```toml |
12 | | -# 审计日志配置 |
13 | | -[audit] |
14 | | -# 是否启用审计日志功能 |
15 | | -# 默认值:false |
16 | | -enable = true |
17 | | - |
18 | | -# 审计日志文件存储目录 |
19 | | -# 路径相对于 `base_dir` 配置项 |
20 | | -# 默认值:"audit" |
21 | | -path = "audit" |
22 | | - |
23 | | -# 审计日志文件最大保留数量 |
24 | | -# 系统每日生成新的日志文件 |
25 | | -# 默认值:30 |
26 | | -max_files = 30 |
27 | | - |
28 | | -# 需要记录的审计日志类型,多个类型用逗号分隔 |
29 | | -# 支持的类型:"read", "write", "ddl", "admin", "misc" |
30 | | -# 特殊值:"all" 表示记录所有类型 |
31 | | -# 默认值:"ddl,admin" |
32 | | -kinds = "ddl,admin" |
33 | | - |
34 | | -# 需要记录的审计操作类型,多个操作用逗号分隔 |
35 | | -# 支持的操作:"select", "insert", "update", "delete", "create", "alter", "drop", "truncate", "trim", |
36 | | -# "desc", "show", "create_user", "drop_user", "set_password", "grant", "revoke", |
37 | | -# "flush", "cluster", "migrate", "compact", "export", "misc", |
38 | | -# 特殊值:"all" 表示记录所有操作 |
39 | | -# 默认值:"all" |
40 | | -actions = "all" |
41 | | -``` |
42 | | - |
43 | | -## 配置说明 |
44 | | - |
45 | | -- **enable**: 设置为 true 以启用审计日志功能 |
46 | | -- **path**: 指定日志存储路径,支持相对路径(基于 base_dir)或绝对路径 |
47 | | -- **max_files**: 控制日志文件轮转数量,避免磁盘空间过度占用 |
48 | | -- **kinds**: 精细化控制需要记录的日志类型,减少不必要的日志记录 |
49 | | -- **actions**: 根据实际安全需求,选择需要审计的具体数据库操作 |
50 | | -- 同时满足 **kinds** 和 **actions** 条件的日志才会被记录 |
| 11 | +审计日志功能默认关闭,需要在配置文件中进行启用和配置,配置方法可参考 [配置审计日志](../admin/configuration-fields/audit-logs.md) |
| 12 | + |
| 13 | +## 各操作的审计约束 |
| 14 | + |
| 15 | +| 操作 | kind | action | |
| 16 | +|-------------------|---------|---------| |
| 17 | +| UPDATE | write | update | |
| 18 | +| DELETE | write | delete | |
| 19 | +| CREATE ROLE | admin | create_user | |
| 20 | +| CREATE USER | admin | create_user | |
| 21 | +| DROP ROLE | admin | drop_user | |
| 22 | +| DROP USER | admin | drop_user | |
| 23 | +| GRANT | admin | grant | |
| 24 | +| REVOKE | admin | revoke | |
| 25 | +| SET PASSWORD | admin | set_password | |
| 26 | +| CREATE DATABASE | ddl | create | |
| 27 | +| DROP DATABASE | ddl | drop | |
| 28 | +| TRIM DATABASE | ddl | trim | |
| 29 | +| CREATE TABLE | ddl | create | |
| 30 | +| DROP TABLE | ddl | drop | |
| 31 | +| ALTER TABLE | ddl | alter | |
| 32 | +| TRUNCATE TABLE | ddl | truncate | |
| 33 | +| CREATE INDEX | ddl | alter | |
| 34 | +| DROP INDEX | ddl | alter | |
| 35 | +| FLUSH | admin | flush | |
| 36 | +| COMPACT | admin | compact | |
| 37 | +| EXPORT | admin | export | |
| 38 | +| EXCLUDE NODE | admin | cluster | |
| 39 | +| INCLUDE NODE | admin | cluster | |
| 40 | +| DROP NODE | admin | cluster | |
| 41 | +| REBALANCE | admin | migrate | |
| 42 | +| STOP MIGRATION | admin | migrate | |
| 43 | +| DESC TABLE | admin | desc | |
| 44 | +| SHOW | admin | show | |
| 45 | + |
| 46 | + |
| 47 | +::: tip |
| 48 | +目前不支持对 SELECT 和 INSERT 语句的审计。 |
| 49 | +::: |
51 | 50 |
|
52 | 51 | ## 查看审计日志 |
53 | 52 |
|
|
0 commit comments