mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-09 06:25:07 +00:00
[Fix] - access granted on internal calls should be logged on trace
Since the system privilege also mapped to cluster/index monitoring actions, the access granted on those was only logged in `TRACE` level. This commit makes sure that these actions will be treated as any of the other actions, and only keep the *internal* system calls under `TRACE` Fixes elastic/elasticsearch#554 Original commit: elastic/x-pack-elasticsearch@ffb719f547
This commit is contained in:
parent
8b38fde21d
commit
6a95a0d17e
@ -7,7 +7,6 @@ package org.elasticsearch.shield.audit.logfile;
|
||||
|
||||
import org.elasticsearch.action.IndicesRequest;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.base.Predicate;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.logging.ESLogger;
|
||||
import org.elasticsearch.common.logging.Loggers;
|
||||
@ -32,8 +31,6 @@ public class LoggingAuditTrail implements AuditTrail {
|
||||
|
||||
public static final String NAME = "logfile";
|
||||
|
||||
private static final Predicate<String> SYSTEM_ACTION_MATCHER = Privilege.SYSTEM.predicate();
|
||||
|
||||
private final ESLogger logger;
|
||||
|
||||
@Override
|
||||
@ -127,8 +124,8 @@ public class LoggingAuditTrail implements AuditTrail {
|
||||
public void accessGranted(User user, String action, TransportMessage<?> message) {
|
||||
String indices = indices(message);
|
||||
|
||||
// special treatment for system actions - only log on trace
|
||||
if (SYSTEM_ACTION_MATCHER.apply(action)) {
|
||||
// special treatment for internal system actions - only log on trace
|
||||
if (Privilege.SYSTEM.internalActionPredicate().apply(action)) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
if (indices != null) {
|
||||
logger.trace("ACCESS_GRANTED\thost=[{}], principal=[{}], action=[{}], indices=[{}], request=[{}]", message.remoteAddress(), user.principal(), action, indices, message.getClass().getSimpleName());
|
||||
|
@ -75,6 +75,8 @@ public abstract class Privilege<P extends Privilege<P>> {
|
||||
|
||||
public static class System extends Privilege<System> {
|
||||
|
||||
private static final Predicate<String> INTERNAL_PREDICATE = new AutomatonPredicate(patterns("internal:*"));
|
||||
|
||||
protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
|
||||
"internal:*",
|
||||
"indices:monitor/*", // added for marvel
|
||||
@ -90,6 +92,10 @@ public abstract class Privilege<P extends Privilege<P>> {
|
||||
return PREDICATE;
|
||||
}
|
||||
|
||||
public Predicate<String> internalActionPredicate() {
|
||||
return INTERNAL_PREDICATE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean implies(System other) {
|
||||
return true;
|
||||
|
@ -9,6 +9,7 @@ import org.apache.lucene.util.automaton.Automata;
|
||||
import org.apache.lucene.util.automaton.Automaton;
|
||||
import org.apache.lucene.util.automaton.Operations;
|
||||
import org.apache.lucene.util.automaton.RegExp;
|
||||
import org.elasticsearch.common.collect.ImmutableList;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
@ -33,14 +34,7 @@ public final class Automatons {
|
||||
* Builds and returns an automaton that will represent the union of all the given patterns.
|
||||
*/
|
||||
public static Automaton patterns(String... patterns) {
|
||||
if (patterns.length == 0) {
|
||||
return Automata.makeEmpty();
|
||||
}
|
||||
Automaton automaton = pattern(patterns[0]);
|
||||
for (String pattern : patterns) {
|
||||
automaton = union(automaton, pattern(pattern));
|
||||
}
|
||||
return determinize(minimize(automaton));
|
||||
return patterns(ImmutableList.copyOf(patterns));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -278,7 +278,7 @@ public class LoggingAuditTrailTests extends ElasticsearchTestCase {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAccessGranted_SystemAction() throws Exception {
|
||||
public void testAccessGranted_InternalSystemAction() throws Exception {
|
||||
for (Level level : Level.values()) {
|
||||
CapturingLogger logger = new CapturingLogger(level);
|
||||
LoggingAuditTrail auditTrail = new LoggingAuditTrail(logger);
|
||||
|
Loading…
x
Reference in New Issue
Block a user