honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add opaque_id to audit logging (#31878) 

Logs opaque_id if it is available with all audit log messages.

Relates #31521
This commit is contained in:
Igor Motov 2018-07-09 13:40:23 -07:00 committed by GitHub
parent 60c1ea2c00
commit dd21ad0d9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 151 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
View File

@ -23,6 +23,7 @@ import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.core.security.authc.Authentication;
@ -180,11 +181,11 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
if (events.contains(AUTHENTICATION_SUCCESS) && (eventFilterPolicyRegistry.ignorePredicate()
.test(new AuditEventMetaInfo(Optional.of(user), Optional.of(realm), Optional.empty(), Optional.empty())) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}], request_body=[{}]",
localNodeInfo.prefix, principal(user), realm, request.uri(), request.params(), restRequestContent(request));
logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}]{}, request_body=[{}]",
localNodeInfo.prefix, principal(user), realm, request.uri(), request.params(), opaqueId(), restRequestContent(request));
} else {
logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}]", localNodeInfo.prefix,
principal(user), realm, request.uri(), request.params());
logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}]{}",
localNodeInfo.prefix, principal(user), realm, request.uri(), request.params(), opaqueId());
}
}
}
@ -197,13 +198,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.of(user), Optional.of(realm), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [authentication_success]\t{}, {}, realm=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [authentication_success]\t{}, {}, realm=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), principal(user), realm, action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName());
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [authentication_success]\t{}, {}, realm=[{}], action=[{}], request=[{}]",
logger.info("{}[transport] [authentication_success]\t{}, {}, realm=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), principal(user), realm, action,
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -217,12 +218,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName());
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, message.getClass().getSimpleName());
logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), action,
message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -233,11 +235,11 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
if (events.contains(ANONYMOUS_ACCESS_DENIED)
&& (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}], request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), request.uri(), restRequestContent(request));
logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}]{}, request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), request.uri(), opaqueId(), restRequestContent(request));
} else {
logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}]", localNodeInfo.prefix, hostAttributes(request),
request.uri());
logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}]{}", localNodeInfo.prefix,
hostAttributes(request), request.uri(), opaqueId());
}
}
}
@ -250,13 +252,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.of(token), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), token.principal(), action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName());
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], request=[{}]",
logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), token.principal(), action,
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -267,10 +269,11 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
if (events.contains(AUTHENTICATION_FAILED)
&& (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}], request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), request.uri(), restRequestContent(request));
logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}]{}, request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), request.uri(), opaqueId(), restRequestContent(request));
} else {
logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}]", localNodeInfo.prefix, hostAttributes(request), request.uri());
logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}]{}", localNodeInfo.prefix,
hostAttributes(request), request.uri(), opaqueId());
}
}
}
@ -283,12 +286,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], indices=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, message.getClass().getSimpleName());
logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), action,
message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -300,11 +304,12 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
&& (eventFilterPolicyRegistry.ignorePredicate()
.test(new AuditEventMetaInfo(Optional.of(token), Optional.empty(), Optional.empty())) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}], request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), token.principal(), request.uri(), restRequestContent(request));
logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}]{}, request_body=[{}]",
localNodeInfo.prefix, hostAttributes(request), token.principal(), request.uri(), opaqueId(),
restRequestContent(request));
} else {
logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}]", localNodeInfo.prefix, hostAttributes(request),
token.principal(), request.uri());
logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}]{}",
localNodeInfo.prefix, hostAttributes(request), token.principal(), request.uri(), opaqueId());
}
}
}
@ -319,13 +324,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
if (indices.isPresent()) {
logger.info(
"{}[transport] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], action=[{}], indices=[{}], "
+ "request=[{}]",
+ "request=[{}]{}",
localNodeInfo.prefix, realm, originAttributes(threadContext, message, localNodeInfo), token.principal(), action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName());
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], action=[{}], request=[{}]",
logger.info("{}[transport] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, realm, originAttributes(threadContext, message, localNodeInfo), token.principal(), action,
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -337,12 +342,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
&& (eventFilterPolicyRegistry.ignorePredicate()
.test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]",
localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(),
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}]{}, "
+ "request_body=[{}]",
localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(), opaqueId(),
restRequestContent(request));
} else {
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}]", localNodeInfo.prefix, realm,
hostAttributes(request), token.principal(), request.uri());
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}]{}",
localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(), opaqueId());
}
}
}
@ -357,14 +363,14 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
Optional.of(effectiveRealmName(authentication)), Optional.of(roleNames), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [access_granted]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [access_granted]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [access_granted]\t{}, {}, roles=[{}], action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName());
logger.info("{}[transport] [access_granted]\t{}, {}, roles=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -378,14 +384,14 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
Optional.of(effectiveRealmName(authentication)), Optional.of(roleNames), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [access_denied]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [access_denied]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [access_denied]\t{}, {}, roles=[{}], action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName());
logger.info("{}[transport] [access_denied]\t{}, {}, roles=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), subject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -395,10 +401,11 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
public void tamperedRequest(RestRequest request) {
if (events.contains(TAMPERED_REQUEST) && (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [tampered_request]\t{}, uri=[{}], request_body=[{}]", localNodeInfo.prefix, hostAttributes(request),
request.uri(), restRequestContent(request));
logger.info("{}[rest] [tampered_request]\t{}, uri=[{}]{}, request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), request.uri(), opaqueId(), restRequestContent(request));
} else {
logger.info("{}[rest] [tampered_request]\t{}, uri=[{}]", localNodeInfo.prefix, hostAttributes(request), request.uri());
logger.info("{}[rest] [tampered_request]\t{}, uri=[{}]{}", localNodeInfo.prefix, hostAttributes(request),
request.uri(), opaqueId());
}
}
}
@ -411,12 +418,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [tampered_request]\t{}, action=[{}], indices=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
logger.info("{}[transport] [tampered_request]\t{}, action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), action,
arrayToCommaDelimitedString(indices.get()), message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [tampered_request]\t{}, action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, message.getClass().getSimpleName());
logger.info("{}[transport] [tampered_request]\t{}, action=[{}], request=[{}]{}", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), action, message.getClass().getSimpleName(),
opaqueId());
}
}
}
@ -430,13 +438,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
.test(new AuditEventMetaInfo(Optional.of(user), Optional.empty(), Optional.empty(), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], indices=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, request, localNodeInfo), principal(user), action,
arrayToCommaDelimitedString(indices.get()), request.getClass().getSimpleName());
logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, request, localNodeInfo), principal(user), action,
arrayToCommaDelimitedString(indices.get()), request.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], request=[{}]", localNodeInfo.prefix,
logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], request=[{}]{}", localNodeInfo.prefix,
originAttributes(threadContext, request, localNodeInfo), principal(user), action,
request.getClass().getSimpleName());
request.getClass().getSimpleName(), opaqueId());
}
}
}
@ -445,16 +453,16 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
@Override
public void connectionGranted(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (events.contains(CONNECTION_GRANTED) && (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {
logger.info("{}[ip_filter] [connection_granted]\torigin_address=[{}], transport_profile=[{}], rule=[{}]", localNodeInfo.prefix,
NetworkAddress.format(inetAddress), profile, rule);
logger.info("{}[ip_filter] [connection_granted]\torigin_address=[{}], transport_profile=[{}], rule=[{}]{}",
localNodeInfo.prefix, NetworkAddress.format(inetAddress), profile, rule, opaqueId());
}
}
@Override
public void connectionDenied(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (events.contains(CONNECTION_DENIED) && (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {
logger.info("{}[ip_filter] [connection_denied]\torigin_address=[{}], transport_profile=[{}], rule=[{}]", localNodeInfo.prefix,
NetworkAddress.format(inetAddress), profile, rule);
logger.info("{}[ip_filter] [connection_denied]\torigin_address=[{}], transport_profile=[{}], rule=[{}]{}",
localNodeInfo.prefix, NetworkAddress.format(inetAddress), profile, rule, opaqueId());
}
}
@ -466,15 +474,14 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
Optional.of(effectiveRealmName(authentication)), Optional.of(roleNames), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [run_as_granted]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [run_as_granted]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [run_as_granted]\t{}, {}, roles=[{}], action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action,
message.getClass().getSimpleName());
logger.info("{}[transport] [run_as_granted]\t{}, {}, roles=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -488,14 +495,14 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
Optional.of(effectiveRealmName(authentication)), Optional.of(roleNames), indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
if (indices.isPresent()) {
logger.info("{}[transport] [run_as_denied]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]",
logger.info("{}[transport] [run_as_denied]\t{}, {}, roles=[{}], action=[{}], indices=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action, arrayToCommaDelimitedString(indices.get()),
message.getClass().getSimpleName());
message.getClass().getSimpleName(), opaqueId());
} else {
logger.info("{}[transport] [run_as_denied]\t{}, {}, roles=[{}], action=[{}], request=[{}]", localNodeInfo.prefix,
originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName());
logger.info("{}[transport] [run_as_denied]\t{}, {}, roles=[{}], action=[{}], request=[{}]{}",
localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), action, message.getClass().getSimpleName(), opaqueId());
}
}
}
@ -507,12 +514,13 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
&& (eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()),
Optional.of(effectiveRealmName(authentication)), Optional.of(roleNames), Optional.empty())) == false)) {
if (includeRequestBody) {
logger.info("{}[rest] [run_as_denied]\t{}, {}, roles=[{}], uri=[{}], request_body=[{}]", localNodeInfo.prefix,
hostAttributes(request), runAsSubject(authentication), arrayToCommaDelimitedString(roleNames), request.uri(),
restRequestContent(request));
logger.info("{}[rest] [run_as_denied]\t{}, {}, roles=[{}], uri=[{}], request_body=[{}]{}",
localNodeInfo.prefix, hostAttributes(request), runAsSubject(authentication),
arrayToCommaDelimitedString(roleNames), request.uri(), restRequestContent(request), opaqueId());
} else {
logger.info("{}[rest] [run_as_denied]\t{}, {}, roles=[{}], uri=[{}]", localNodeInfo.prefix, hostAttributes(request),
runAsSubject(authentication), arrayToCommaDelimitedString(roleNames), request.uri());
logger.info("{}[rest] [run_as_denied]\t{}, {}, roles=[{}], uri=[{}]{}", localNodeInfo.prefix,
hostAttributes(request), runAsSubject(authentication), arrayToCommaDelimitedString(roleNames), request.uri(),
opaqueId());
}
}
}
@ -552,6 +560,15 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
return restOriginTag(threadContext).orElse(transportOriginTag(message).orElse(localNodeInfo.localOriginTag));
}
private String opaqueId() {
String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID);
if (opaqueId != null) {
return ", opaque_id=[" + opaqueId + "]";
} else {
return "";
}
}
private static Optional<String> restOriginTag(ThreadContext threadContext) {
final InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext);
if (restAddress == null) {

91
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
View File

@ -25,6 +25,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.mock.orig.Mockito;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.test.rest.FakeRestRequest;
import org.elasticsearch.test.rest.FakeRestRequest.Builder;
@ -122,6 +123,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
private ClusterService clusterService;
private ThreadContext threadContext;
private boolean includeRequestBody;
private String opaqueId;
@Before
public void init() throws Exception {
@ -145,6 +147,13 @@ public class LoggingAuditTrailTests extends ESTestCase {
when(clusterService.getClusterSettings()).thenReturn(clusterSettings);
prefix = LoggingAuditTrail.LocalNodeInfo.resolvePrefix(settings, localNode);
threadContext = new ThreadContext(Settings.EMPTY);
if (randomBoolean()) {
String id = randomAlphaOfLength(10);
threadContext.putHeader(Task.X_OPAQUE_ID, id);
opaqueId = ", opaque_id=[" + id + "]";
} else {
opaqueId = "";
}
}
public void testAnonymousAccessDeniedTransport() throws Exception {
@ -155,10 +164,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.anonymousAccessDenied("_action", message);
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [anonymous_access_denied]\t" + origins +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [anonymous_access_denied]\t" + origins +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -179,10 +188,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.anonymousAccessDenied(request);
if (includeRequestBody) {
assertMsg(logger, Level.INFO, prefix + "[rest] [anonymous_access_denied]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri], request_body=[" + expectedMessage + "]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId + ", request_body=[" + expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO, prefix + "[rest] [anonymous_access_denied]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId);
}
// test disabled
@ -202,10 +211,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_failed]\t" + origins +
", principal=[_principal], action=[_action], indices=[" + indices(message) +
"], request=[MockIndicesRequest]");
"], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_failed]\t" + origins +
", principal=[_principal], action=[_action], request=[MockMessage]");
", principal=[_principal], action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -224,10 +233,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.authenticationFailed("_action", message);
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_failed]\t" + origins +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_failed]\t" + origins +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -248,11 +257,11 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.authenticationFailed(new MockToken(), request);
if (includeRequestBody) {
assertMsg(logger, Level.INFO, prefix + "[rest] [authentication_failed]\torigin_address=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri], request_body=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]" + opaqueId + ", request_body=[" +
expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO, prefix + "[rest] [authentication_failed]\torigin_address=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]");
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]" + opaqueId);
}
// test disabled
@ -273,10 +282,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.authenticationFailed(request);
if (includeRequestBody) {
assertMsg(logger, Level.INFO, prefix + "[rest] [authentication_failed]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri], request_body=[" + expectedMessage + "]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId + ", request_body=[" + expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO, prefix + "[rest] [authentication_failed]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId);
}
// test disabled
@ -303,10 +312,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [realm_authentication_failed]\trealm=[_realm], " + origins +
", principal=[_principal], action=[_action], indices=[" + indices(message) + "], " +
"request=[MockIndicesRequest]");
"request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [realm_authentication_failed]\trealm=[_realm], " + origins +
", principal=[_principal], action=[_action], request=[MockMessage]");
", principal=[_principal], action=[_action], request=[MockMessage]" + opaqueId);
}
}
@ -327,11 +336,11 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.authenticationFailed("_realm", new MockToken(), request);
if (includeRequestBody) {
assertMsg(logger, Level.INFO, prefix + "[rest] [realm_authentication_failed]\trealm=[_realm], origin_address=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri], request_body=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]" + opaqueId + ", request_body=[" +
expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO, prefix + "[rest] [realm_authentication_failed]\trealm=[_realm], origin_address=[" +
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]");
NetworkAddress.format(address) + "], principal=[_principal], uri=[_uri]" + opaqueId);
}
}
@ -353,10 +362,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
: "principal=[_username], realm=[authRealm]") + ", roles=[" + role + "]";
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", " + userInfo +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", " + userInfo +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -384,11 +393,11 @@ public class LoggingAuditTrailTests extends ESTestCase {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", principal=[" +
SystemUser.INSTANCE.principal()
+ "], realm=[authRealm], roles=[" + role + "], action=[internal:_action], indices=[" + indices(message)
+ "], request=[MockIndicesRequest]");
+ "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", principal=[" +
SystemUser.INSTANCE.principal() + "], realm=[authRealm], roles=[" + role
+ "], action=[internal:_action], request=[MockMessage]");
+ "], action=[internal:_action], request=[MockMessage]" + opaqueId);
}
}
@ -410,10 +419,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
: "principal=[_username], realm=[authRealm]") + ", roles=[" + role + "]";
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", " + userInfo +
", action=[internal:_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[internal:_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_granted]\t" + origins + ", " + userInfo +
", action=[internal:_action], request=[MockMessage]");
", action=[internal:_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -442,10 +451,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
: "principal=[_username], realm=[authRealm]") + ", roles=[" + role + "]";
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_denied]\t" + origins + ", " + userInfo +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [access_denied]\t" + origins + ", " + userInfo +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -466,10 +475,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.tamperedRequest(request);
if (includeRequestBody) {
assertMsg(logger, Level.INFO, prefix + "[rest] [tampered_request]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri], request_body=[" + expectedMessage + "]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId + ", request_body=[" + expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO, prefix + "[rest] [tampered_request]\torigin_address=[" +
NetworkAddress.format(address) + "], uri=[_uri]");
NetworkAddress.format(address) + "], uri=[_uri]" + opaqueId);
}
// test disabled
@ -489,10 +498,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.tamperedRequest(action, message);
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [tampered_request]\t" + origins +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [tampered_request]\t" + origins +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -516,10 +525,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.tamperedRequest(user, action, message);
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [tampered_request]\t" + origins + ", " + userInfo +
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
", action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [tampered_request]\t" + origins + ", " + userInfo +
", action=[_action], request=[MockMessage]");
", action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -537,7 +546,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
final SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
auditTrail.connectionDenied(inetAddress, "default", rule);
assertMsg(logger, Level.INFO, String.format(Locale.ROOT, prefix +
"[ip_filter] [connection_denied]\torigin_address=[%s], transport_profile=[%s], rule=[deny %s]",
"[ip_filter] [connection_denied]\torigin_address=[%s], transport_profile=[%s], rule=[deny %s]" + opaqueId,
NetworkAddress.format(inetAddress), "default", "_all"));
// test disabled
@ -562,7 +571,8 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);
auditTrail.connectionGranted(inetAddress, "default", rule);
assertMsg(logger, Level.INFO, String.format(Locale.ROOT, prefix + "[ip_filter] [connection_granted]\torigin_address=[%s], " +
"transport_profile=[default], rule=[allow default:accept_all]", NetworkAddress.format(inetAddress)));
"transport_profile=[default], rule=[allow default:accept_all]" + opaqueId,
NetworkAddress.format(inetAddress)));
}
public void testRunAsGranted() throws Exception {
@ -577,12 +587,12 @@ public class LoggingAuditTrailTests extends ESTestCase {
assertMsg(logger, Level.INFO,
prefix + "[transport] [run_as_granted]\t" + origins
+ ", principal=[_username], realm=[authRealm], run_as_principal=[running as], run_as_realm=[lookRealm], roles=["
+ role + "], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
+ role + "], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO,
prefix + "[transport] [run_as_granted]\t" + origins
+ ", principal=[_username], realm=[authRealm], run_as_principal=[running as], run_as_realm=[lookRealm], roles=["
+ role + "], action=[_action], request=[MockMessage]");
+ role + "], action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -605,12 +615,12 @@ public class LoggingAuditTrailTests extends ESTestCase {
assertMsg(logger, Level.INFO,
prefix + "[transport] [run_as_denied]\t" + origins
+ ", principal=[_username], realm=[authRealm], run_as_principal=[running as], run_as_realm=[lookRealm], roles=["
+ role + "], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
+ role + "], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO,
prefix + "[transport] [run_as_denied]\t" + origins
+ ", principal=[_username], realm=[authRealm], run_as_principal=[running as], run_as_realm=[lookRealm], roles=["
+ role + "], action=[_action], request=[MockMessage]");
+ role + "], action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled
@ -667,10 +677,11 @@ public class LoggingAuditTrailTests extends ESTestCase {
if (includeRequestBody) {
assertMsg(logger, Level.INFO,
prefix + "[rest] [authentication_success]\t" + userInfo + ", realm=[_realm], uri=[_uri], params=[" + params
+ "], request_body=[" + expectedMessage + "]");
+ "]" + opaqueId + ", request_body=[" + expectedMessage + "]");
} else {
assertMsg(logger, Level.INFO,
prefix + "[rest] [authentication_success]\t" + userInfo + ", realm=[_realm], uri=[_uri], params=[" + params + "]");
prefix + "[rest] [authentication_success]\t" + userInfo + ", realm=[_realm], uri=[_uri], params=[" + params
+ "]" + opaqueId);
}
// test disabled
@ -701,10 +712,10 @@ public class LoggingAuditTrailTests extends ESTestCase {
auditTrail.authenticationSuccess(realm, user, "_action", message);
if (message instanceof IndicesRequest) {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_success]\t" + origins + ", " + userInfo
+ ", realm=[_realm], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]");
+ ", realm=[_realm], action=[_action], indices=[" + indices(message) + "], request=[MockIndicesRequest]" + opaqueId);
} else {
assertMsg(logger, Level.INFO, prefix + "[transport] [authentication_success]\t" + origins + ", " + userInfo
+ ", realm=[_realm], action=[_action], request=[MockMessage]");
+ ", realm=[_realm], action=[_action], request=[MockMessage]" + opaqueId);
}
// test disabled