[Fix] - access granted on internal calls should be logged on trace

Since the system privilege also mapped to cluster/index monitoring actions, the access granted on those was only logged in `TRACE` level. This commit makes sure that these actions will be treated as any of the other actions, and only keep the *internal* system calls under `TRACE`

Fixes elastic/elasticsearch#554

Original commit: elastic/x-pack-elasticsearch@ffb719f547
This commit is contained in:
uboness 2015-01-11 13:12:06 +01:00
parent 8b38fde21d
commit 6a95a0d17e
4 changed files with 11 additions and 14 deletions

View File

@ -7,7 +7,6 @@ package org.elasticsearch.shield.audit.logfile;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.base.Predicate;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
@ -32,8 +31,6 @@ public class LoggingAuditTrail implements AuditTrail {
public static final String NAME = "logfile";
private static final Predicate<String> SYSTEM_ACTION_MATCHER = Privilege.SYSTEM.predicate();
private final ESLogger logger;
@Override
@ -127,8 +124,8 @@ public class LoggingAuditTrail implements AuditTrail {
public void accessGranted(User user, String action, TransportMessage<?> message) {
String indices = indices(message);
// special treatment for system actions - only log on trace
if (SYSTEM_ACTION_MATCHER.apply(action)) {
// special treatment for internal system actions - only log on trace
if (Privilege.SYSTEM.internalActionPredicate().apply(action)) {
if (logger.isTraceEnabled()) {
if (indices != null) {
logger.trace("ACCESS_GRANTED\thost=[{}], principal=[{}], action=[{}], indices=[{}], request=[{}]", message.remoteAddress(), user.principal(), action, indices, message.getClass().getSimpleName());

View File

@ -75,6 +75,8 @@ public abstract class Privilege<P extends Privilege<P>> {
public static class System extends Privilege<System> {
private static final Predicate<String> INTERNAL_PREDICATE = new AutomatonPredicate(patterns("internal:*"));
protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
"internal:*",
"indices:monitor/*", // added for marvel
@ -90,6 +92,10 @@ public abstract class Privilege<P extends Privilege<P>> {
return PREDICATE;
}
public Predicate<String> internalActionPredicate() {
return INTERNAL_PREDICATE;
}
@Override
public boolean implies(System other) {
return true;

View File

@ -9,6 +9,7 @@ import org.apache.lucene.util.automaton.Automata;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.apache.lucene.util.automaton.RegExp;
import org.elasticsearch.common.collect.ImmutableList;
import java.util.ArrayList;
import java.util.Collection;
@ -33,14 +34,7 @@ public final class Automatons {
* Builds and returns an automaton that will represent the union of all the given patterns.
*/
public static Automaton patterns(String... patterns) {
if (patterns.length == 0) {
return Automata.makeEmpty();
}
Automaton automaton = pattern(patterns[0]);
for (String pattern : patterns) {
automaton = union(automaton, pattern(pattern));
}
return determinize(minimize(automaton));
return patterns(ImmutableList.copyOf(patterns));
}
/**

View File

@ -278,7 +278,7 @@ public class LoggingAuditTrailTests extends ElasticsearchTestCase {
}
@Test
public void testAccessGranted_SystemAction() throws Exception {
public void testAccessGranted_InternalSystemAction() throws Exception {
for (Level level : Level.values()) {
CapturingLogger logger = new CapturingLogger(level);
LoggingAuditTrail auditTrail = new LoggingAuditTrail(logger);