[Task] Add database account expiry monitoring metrics for MariaDB#4032
Open
turanalmammadov wants to merge 1 commit intoapache:masterfrom
Open
[Task] Add database account expiry monitoring metrics for MariaDB#4032turanalmammadov wants to merge 1 commit intoapache:masterfrom
turanalmammadov wants to merge 1 commit intoapache:masterfrom
Conversation
Implement password expiry monitoring for MariaDB database accounts
to enable proactive security management and compliance tracking.
Changes:
1. Added new metric 'account_expiry' to app-mariadb.yml:
- Queries mysql.user table for password expiration data
- Tracks password_expired, password_lifetime, password_last_changed
- Calculates days_until_expiry as a computed metric
- Priority 14 for non-critical monitoring
- Supports multi-row results for all database users
- Includes proper i18n (Chinese, English, Japanese)
2. Updated English documentation (home/docs/help/mariadb.md):
- Added account_expiry metric set documentation
- Documented all 6 fields with descriptions
- Explained use case for security monitoring
- Added alerting guidance
3. Updated Chinese documentation:
- Added corresponding Chinese translations
- Maintains consistency with English docs
Metric Fields:
- user: Database user account name
- host: Allowed connection host
- password_expired: Expiration status (Y/N)
- password_lifetime: Days until expiration (0 = never)
- password_last_changed: Last password change timestamp
- days_until_expiry: Calculated remaining days
SQL Query:
SELECT User, Host, password_expired,
IF(password_lifetime IS NULL OR password_lifetime = 0, 0, password_lifetime) as password_lifetime,
password_last_changed
FROM mysql.user
WHERE User != ''
ORDER BY password_last_changed ASC;
Benefits:
- Proactive password expiry alerts
- Security compliance monitoring
- Prevents account lockouts
- Tracks password age across all users
- Enables automated alerting
- Supports multi-database monitoring
Use Cases:
- Alert 7 days before password expiry
- Compliance auditing (password rotation policies)
- Security best practices enforcement
- Prevent production access issues
Testing:
- Tested SQL query on MariaDB 10.x
- Verified metric collection
- Confirmed alerting capability
- Validated i18n translations
Related:
- Issue apache#3737 (task list: app-mariadb.yml ✓)
- Reference: PR apache#3674 (Oracle implementation)
Signed-off-by: Turan Almammadov <16321061+turanalmammadov@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
github-actions
bot
added
doc
turanalmammadov
added a commit
to turanalmammadov/hertzbeat
that referenced
this pull request
Feb 23, 2026
Implement user account and role monitoring for MongoDB database to enable security auditing and access control visibility. Changes: 1. Added new metric 'user_info' to app-mongodb.yml: - Uses MongoDB usersInfo command - Queries admin database for user information - Tracks user, db, roles, auth mechanisms, password digest - Priority 13 for security monitoring - Multi-user support with proper labeling - Includes i18n (Chinese, English, Japanese) 2. Updated English documentation (home/docs/help/mongodb.md): - Added user_info metric set documentation - Documented all fields with descriptions - Explained security monitoring use cases - Added alerting recommendations 3. Updated Chinese documentation: - Added Chinese translations - Maintains documentation consistency Metric Fields: - user: MongoDB user account name - db: Authentication database - roles: Assigned roles (JSON array) - mechanisms: Available auth mechanisms (SCRAM-SHA-256, etc.) - passwordDisgest: Password hashing method MongoDB Command: usersInfo (runs against admin database) Benefits: - User account visibility and auditing - Role-based access control monitoring - Authentication mechanism tracking - Security compliance verification - Unauthorized user detection - Access control governance Use Cases: - Alert on new user creation - Monitor role assignments - Track authentication methods - Audit security configurations - Compliance reporting - Access control reviews Security Monitoring: - Detects unauthorized user accounts - Tracks privilege escalation - Monitors authentication changes - Supports security audits Testing: - Tested on MongoDB 4.x, 5.x, 6.x - Verified usersInfo command execution - Confirmed role data collection - Validated i18n translations Related: - Issue apache#3737 (task list: app-mongodb.yml ✓) - Reference: PR apache#3674 (Oracle), PR apache#4032 (MariaDB) Signed-off-by: Turan Almammadov <16321061+turanalmammadov@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
turanalmammadov
added a commit
to turanalmammadov/hertzbeat
that referenced
this pull request
Feb 23, 2026
Implement user account and role monitoring for MongoDB database to enable security auditing and access control visibility. Changes: 1. Added new metric 'user_info' to app-mongodb.yml: - Uses MongoDB usersInfo command - Queries admin database for user information - Tracks user, db, roles, auth mechanisms, password digest - Priority 13 for security monitoring - Multi-user support with proper labeling - Includes i18n (Chinese, English, Japanese) 2. Updated English documentation (home/docs/help/mongodb.md): - Added user_info metric set documentation - Documented all fields with descriptions - Explained security monitoring use cases - Added alerting recommendations 3. Updated Chinese documentation: - Added Chinese translations - Maintains documentation consistency Metric Fields: - user: MongoDB user account name - db: Authentication database - roles: Assigned roles (JSON array) - mechanisms: Available auth mechanisms (SCRAM-SHA-256, etc.) - passwordDisgest: Password hashing method MongoDB Command: usersInfo (runs against admin database) Benefits: - User account visibility and auditing - Role-based access control monitoring - Authentication mechanism tracking - Security compliance verification - Unauthorized user detection - Access control governance Use Cases: - Alert on new user creation - Monitor role assignments - Track authentication methods - Audit security configurations - Compliance reporting - Access control reviews Security Monitoring: - Detects unauthorized user accounts - Tracks privilege escalation - Monitors authentication changes - Supports security audits Testing: - Tested on MongoDB 4.x, 5.x, 6.x - Verified usersInfo command execution - Confirmed role data collection - Validated i18n translations Related: - Issue apache#3737 (task list: app-mongodb.yml ✓) - Reference: PR apache#3674 (Oracle), PR apache#4032 (MariaDB) Signed-off-by: Turan Almammadov <16321061+turanalmammadov@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
2 tasks
zqr10159
reviewed
Feb 24, 2026
| database: ^_^database^_^ | ||
| timeout: ^_^timeout^_^ | ||
| queryType: multiRow | ||
| sql: SELECT User, Host, password_expired, IF(password_lifetime IS NULL OR password_lifetime = 0, 0, password_lifetime) as password_lifetime, password_last_changed FROM mysql.user WHERE User != '' ORDER BY password_last_changed ASC; |
Member
There was a problem hiding this comment.
The current configuration performs redundant field mapping (e.g., user=User) and logic calculation in the application layer. This adds unnecessary overhead to the collector's expression engine.
I suggest moving this logic directly into the SQL statement using aliases and built-in functions. This follows the "calculation push-down" principle, improving efficiency and simplifying the YAML.
This was referenced Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related: #3737
📊 What's Changed?
Implemented password expiry monitoring metrics for MariaDB database to enable proactive security management and compliance tracking.
Changes Made
app-mariadb.yml- Added new metric collection✨ New Metric: account_expiry
Collected Fields
SQL Query
Calculated Field:
🎯 Use Cases
1. Security Compliance
2. Proactive Alerting
Configure alert thresholds:
3. Prevent Access Issues
4. Multi-Database Management
📸 Example Alert Configuration
✅ Testing
Test Environment
📋 Documentation Updates
English (home/docs/help/mariadb.md)
Chinese (home/i18n/zh-cn/.../mariadb.md)
🔧 Technical Details
Priority: 14 (non-critical, informational)
Query Type: multiRow (returns multiple user records)
Platform: mariadb
Protocol: JDBC
Handles Edge Cases:
🎓 MariaDB Password Management
MariaDB supports password expiry via:
This monitoring metric tracks these settings across all accounts.
✅ Task List Progress
From #3737:
app-mariadb.yml✓ (this PR)📝 Notes
Resolves #3737 (app-mariadb.yml portion)
Made with Cursor