[Fix] - access granted on internal calls should be logged on trace

Since the system privilege also mapped to cluster/index monitoring actions, the access granted on those was only logged in `TRACE` level. This commit makes sure that these actions will be treated as any of the other actions, and only keep the *internal* system calls under `TRACE`

Fixes elastic/elasticsearch#554

Original commit: elastic/x-pack-elasticsearch@ffb719f547

src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java

@@ -7,7 +7,6 @@ package org.elasticsearch.shield.audit.logfile;
 
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.common.base.Predicate;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.Loggers;
@@ -32,8 +31,6 @@ public class LoggingAuditTrail implements AuditTrail {
 
     public static final String NAME = "logfile";
 
-    private static final Predicate<String> SYSTEM_ACTION_MATCHER = Privilege.SYSTEM.predicate();
-
     private final ESLogger logger;
 
     @Override
@@ -127,8 +124,8 @@ public class LoggingAuditTrail implements AuditTrail {
     public void accessGranted(User user, String action, TransportMessage<?> message) {
         String indices = indices(message);
 
-        // special treatment for system actions - only log on trace
-        if (SYSTEM_ACTION_MATCHER.apply(action)) {
+        // special treatment for internal system actions - only log on trace
+        if (Privilege.SYSTEM.internalActionPredicate().apply(action)) {
             if (logger.isTraceEnabled()) {
                 if (indices != null) {
                     logger.trace("ACCESS_GRANTED\thost=[{}], principal=[{}], action=[{}], indices=[{}], request=[{}]", message.remoteAddress(), user.principal(), action, indices, message.getClass().getSimpleName());

src/main/java/org/elasticsearch/shield/authz/Privilege.java

@@ -75,6 +75,8 @@ public abstract class Privilege<P extends Privilege<P>> {
 
     public static class System extends Privilege<System> {
 
+        private static final Predicate<String> INTERNAL_PREDICATE = new AutomatonPredicate(patterns("internal:*"));
+
         protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
                 "internal:*",
                 "indices:monitor/*",  // added for marvel
@@ -90,6 +92,10 @@ public abstract class Privilege<P extends Privilege<P>> {
             return PREDICATE;
         }
 
+        public Predicate<String> internalActionPredicate() {
+            return INTERNAL_PREDICATE;
+        }
+
         @Override
         public boolean implies(System other) {
             return true;

src/main/java/org/elasticsearch/shield/support/Automatons.java

@@ -9,6 +9,7 @@ import org.apache.lucene.util.automaton.Automata;
 import org.apache.lucene.util.automaton.Automaton;
 import org.apache.lucene.util.automaton.Operations;
 import org.apache.lucene.util.automaton.RegExp;
+import org.elasticsearch.common.collect.ImmutableList;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -33,14 +34,7 @@ public final class Automatons {
      * Builds and returns an automaton that will represent the union of all the given patterns.
      */
     public static Automaton patterns(String... patterns) {
-        if (patterns.length == 0) {
-            return Automata.makeEmpty();
-        }
-        Automaton automaton = pattern(patterns[0]);
-        for (String pattern : patterns) {
-            automaton = union(automaton, pattern(pattern));
-        }
-        return determinize(minimize(automaton));
+        return patterns(ImmutableList.copyOf(patterns));
     }
 
     /**

src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java

@@ -278,7 +278,7 @@ public class LoggingAuditTrailTests extends ElasticsearchTestCase {
     }
 
     @Test
-    public void testAccessGranted_SystemAction() throws Exception {
+    public void testAccessGranted_InternalSystemAction() throws Exception {
         for (Level level : Level.values()) {
             CapturingLogger logger = new CapturingLogger(level);
             LoggingAuditTrail auditTrail = new LoggingAuditTrail(logger);