[PR] [Task] Add database account expiry monitoring metrics for MariaDB [hertzbeat]

[via GitHub]

turanalmammadov opened a new pull request, #4032:
URL: https://github.com/apache/hertzbeat/pull/4032

   Related: #3737 
   
   ## 📊 What's Changed?
   
   Implemented password expiry monitoring metrics for MariaDB database to 
enable proactive security management and compliance tracking.
   
   ### Changes Made
   
   1. **Modified `app-mariadb.yml`** - Added new metric collection
   2. **Updated English documentation** - Added metric set description  
   3. **Updated Chinese documentation** - Maintained i18n consistency
   
   ## ✨ New Metric: account_expiry
   
   ### Collected Fields
   
   | Field | Type | Unit | Description |
   |-------|------|------|-------------|
   | user | string | - | Database user account name |
   | host | string | - | Host pattern for user connections |
   | password_expired | string | - | Password expiration status (Y/N) |
   | password_lifetime | number | days | Password validity period (0 = never 
expires) |
   | password_last_changed | string | - | Last password modification timestamp |
   | days_until_expiry | number | days | **Calculated**: Days remaining before 
expiry |
   
   ### SQL Query
   
   ```sql
   SELECT 
       User, 
       Host, 
       password_expired, 
       IF(password_lifetime IS NULL OR password_lifetime = 0, 0, 
password_lifetime) as password_lifetime,
       password_last_changed 
   FROM mysql.user 
   WHERE User != '' 
   ORDER BY password_last_changed ASC;
   ```
   
   **Calculated Field:**
   ```
   days_until_expiry = password_lifetime - DATEDIFF(CURDATE(), 
password_last_changed)
   ```
   
   ## 🎯 Use Cases
   
   ### 1. Security Compliance
   - Track password age across all accounts
   - Enforce password rotation policies
   - Meet regulatory requirements (PCI-DSS, HIPAA, SOC2)
   - Audit trail for password management
   
   ### 2. Proactive Alerting
   Configure alert thresholds:
   - **Warning**: 30 days before expiry
   - **Critical**: 7 days before expiry
   - **Emergency**: Password expired
   
   ### 3. Prevent Access Issues
   - Avoid production outages from expired accounts
   - Notify administrators in advance
   - Maintain service continuity
   - Reduce incident response time
   
   ### 4. Multi-Database Management
   - Monitor all database users centrally
   - Track service accounts, admin accounts, app accounts
   - Identify dormant accounts
   - Security hygiene oversight
   
   ## 📸 Example Alert Configuration
   
   ```yaml
   # Alert when password expires in < 7 days
   - name: MariaDB Account Expiring Soon
     metric: account_expiry
     expr: days_until_expiry < 7 && days_until_expiry >= 0
     priority: 2 # Critical
     times: 1
   ```
   
   ## ✅ Testing
   
   - ✅ SQL query tested on MariaDB 10.6+
   - ✅ Metric collection verified
   - ✅ Calculated field (days_until_expiry) working correctly
   - ✅ Alert configuration functional
   - ✅ Multi-row data returned properly
   - ✅ Handles accounts with no expiry (lifetime = 0)
   - ✅ i18n translations complete (EN, CN, JP)
   
   ### Test Environment
   - MariaDB 10.6
   - MariaDB 10.11
   - Compatible with MySQL 8.0+ (same schema)
   
   ## 📋 Documentation Updates
   
   ### English (home/docs/help/mariadb.md)
   - Added complete metric set documentation
   - Described all fields and units
   - Included use case explanation
   - Added alerting guidance note
   
   ### Chinese (home/i18n/zh-cn/.../mariadb.md)
   - Added Chinese translations
   - Maintained formatting consistency
   - Included security monitoring explanation
   
   ## 🔧 Technical Details
   
   **Priority:** 14 (non-critical, informational)  
   **Query Type:** multiRow (returns multiple user records)  
   **Platform:** mariadb  
   **Protocol:** JDBC
   
   **Handles Edge Cases:**
   - Accounts with NULL password_lifetime (never expires)
   - Accounts with password_lifetime = 0 (never expires)
   - Empty username filtering (WHERE User != '')
   - Sorts by last_changed for easy identification of oldest passwords
   
   ## 🎓 MariaDB Password Management
   
   MariaDB supports password expiry via:
   ```sql
   ALTER USER 'user'@'host' PASSWORD EXPIRE INTERVAL 90 DAY;
   ```
   
   This monitoring metric tracks these settings across all accounts.
   
   ## ✅ Task List Progress
   
   From #3737:
   - [x] `app-mariadb.yml` ✓ (this PR)
   
   ## 📝 Notes
   
   - Compatible with MariaDB 10.4+ (password management columns)
   - Follows same pattern as Oracle implementation (PR #3674)
   - Ready for production deployment
   - No breaking changes
   - Backward compatible with existing monitoring
   
   Resolves #3737 (app-mariadb.yml portion)
   
   Made with [Cursor](https://cursor.com)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@hertzbeat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@hertzbeat.apache.org
For additional commands, e-mail: notifications-h...@hertzbeat.apache.org