honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-09 22:45:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Fix] - access granted on internal calls should be logged on trace

Browse Source 
Since the system privilege also mapped to cluster/index monitoring actions, the access granted on those was only logged in `TRACE` level. This commit makes sure that these actions will be treated as any of the other actions, and only keep the *internal* system calls under `TRACE`

Fixes elastic/elasticsearch#554

Original commit: elastic/x-pack-elasticsearch@ffb719f547
This commit is contained in:
uboness 2015-01-11 13:12:06 +01:00
parent 8b38fde21d
commit 6a95a0d17e
4 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java
View File

@ -7,7 +7,6 @@ package org.elasticsearch.shield.audit.logfile;
import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.base.Predicate;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.logging.Loggers;
@ -32,8 +31,6 @@ public class LoggingAuditTrail implements AuditTrail {
public static final String NAME = "logfile"; public static final String NAME = "logfile";
private static final Predicate<String> SYSTEM_ACTION_MATCHER = Privilege.SYSTEM.predicate();
private final ESLogger logger; private final ESLogger logger;
@Override @Override
@ -127,8 +124,8 @@ public class LoggingAuditTrail implements AuditTrail {
public void accessGranted(User user, String action, TransportMessage<?> message) { public void accessGranted(User user, String action, TransportMessage<?> message) {
String indices = indices(message); String indices = indices(message);
// special treatment for system actions - only log on trace // special treatment for internal system actions - only log on trace
if (SYSTEM_ACTION_MATCHER.apply(action)) { if (Privilege.SYSTEM.internalActionPredicate().apply(action)) {
if (logger.isTraceEnabled()) { if (logger.isTraceEnabled()) {
if (indices != null) { if (indices != null) {
logger.trace("ACCESS_GRANTED\thost=[{}], principal=[{}], action=[{}], indices=[{}], request=[{}]", message.remoteAddress(), user.principal(), action, indices, message.getClass().getSimpleName()); logger.trace("ACCESS_GRANTED\thost=[{}], principal=[{}], action=[{}], indices=[{}], request=[{}]", message.remoteAddress(), user.principal(), action, indices, message.getClass().getSimpleName());

6
src/main/java/org/elasticsearch/shield/authz/Privilege.java
View File

@ -75,6 +75,8 @@ public abstract class Privilege<P extends Privilege<P>> {
public static class System extends Privilege<System> { public static class System extends Privilege<System> {
private static final Predicate<String> INTERNAL_PREDICATE = new AutomatonPredicate(patterns("internal:*"));
protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns( protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
"internal:*", "internal:*",
"indices:monitor/*", // added for marvel "indices:monitor/*", // added for marvel
@ -90,6 +92,10 @@ public abstract class Privilege<P extends Privilege<P>> {
return PREDICATE; return PREDICATE;
} }
public Predicate<String> internalActionPredicate() {
return INTERNAL_PREDICATE;
}
@Override @Override
public boolean implies(System other) { public boolean implies(System other) {
return true; return true;

10
src/main/java/org/elasticsearch/shield/support/Automatons.java
View File

@ -9,6 +9,7 @@ import org.apache.lucene.util.automaton.Automata;
import org.apache.lucene.util.automaton.Automaton; import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations; import org.apache.lucene.util.automaton.Operations;
import org.apache.lucene.util.automaton.RegExp; import org.apache.lucene.util.automaton.RegExp;
import org.elasticsearch.common.collect.ImmutableList;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
@ -33,14 +34,7 @@ public final class Automatons {
* Builds and returns an automaton that will represent the union of all the given patterns. * Builds and returns an automaton that will represent the union of all the given patterns.
*/ */
public static Automaton patterns(String... patterns) { public static Automaton patterns(String... patterns) {
if (patterns.length == 0) { return patterns(ImmutableList.copyOf(patterns));
return Automata.makeEmpty();
}
Automaton automaton = pattern(patterns[0]);
for (String pattern : patterns) {
automaton = union(automaton, pattern(pattern));
}
return determinize(minimize(automaton));
} }
/** /**

2
src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java
View File

@ -278,7 +278,7 @@ public class LoggingAuditTrailTests extends ElasticsearchTestCase {
} }
@Test @Test
public void testAccessGranted_SystemAction() throws Exception { public void testAccessGranted_InternalSystemAction() throws Exception {
for (Level level : Level.values()) { for (Level level : Level.values()) {
CapturingLogger logger = new CapturingLogger(level); CapturingLogger logger = new CapturingLogger(level);
LoggingAuditTrail auditTrail = new LoggingAuditTrail(logger); LoggingAuditTrail auditTrail = new LoggingAuditTrail(logger);