Change classification of event_type in index audit trail (elastic/elasticsearch#4375)

In LoggingAuditTrail and the audit-event filtering, we distinguish between single-realm authentication failures ("realm_authentication_failure") and global failures ("authentication_failure"). Update the message output of IndexAuditTrail to reflect this distinction. Original commit: elastic/x-pack-elasticsearch@56802ae2df
2016-12-19 14:39:21 +11:00 · 2016-12-19 14:39:21 +11:00 · df7c528c66
parent c9cfedc3cb
commit df7c528c66
2 changed files with 5 additions and 4 deletions
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
@ -445,7 +445,8 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
        if (events.contains(REALM_AUTHENTICATION_FAILED)) {
            if (XPackUser.is(token.principal()) == false) {
                try {
-                    enqueue(message("authentication_failed", action, token, realm, indices(message), message), "authentication_failed");
+                    enqueue(message("realm_authentication_failed", action, token, realm, indices(message), message),
+                            "realm_authentication_failed");
                } catch (Exception e) {
                    logger.warn("failed to index audit event: [authentication_failed]", e);
                }
@ -458,7 +459,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
        if (events.contains(REALM_AUTHENTICATION_FAILED)) {
            if (XPackUser.is(token.principal()) == false) {
                try {
-                    enqueue(message("authentication_failed", null, token, realm, null, request), "authentication_failed");
+                    enqueue(message("realm_authentication_failed", null, token, realm, null, request), "realm_authentication_failed");
                } catch (Exception e) {
                    logger.warn("failed to index audit event: [authentication_failed]", e);
                }
--- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
+++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
@ -404,7 +404,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
        auditor.authenticationFailed("_realm", new MockToken(), "_action", message);
        SearchHit hit = getIndexedAuditMessage(enqueuedMessage.get());

-        assertAuditMessage(hit, "transport", "authentication_failed");
+        assertAuditMessage(hit, "transport", "realm_authentication_failed");
        Map<String, Object> sourceMap = hit.sourceAsMap();

        if (message instanceof RemoteHostMockMessage) {
@ -430,7 +430,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
        auditor.authenticationFailed("_realm", new MockToken(), request);
        SearchHit hit = getIndexedAuditMessage(enqueuedMessage.get());

-        assertAuditMessage(hit, "rest", "authentication_failed");
+        assertAuditMessage(hit, "rest", "realm_authentication_failed");
        Map<String, Object> sourceMap = hit.sourceAsMap();
        assertThat("127.0.0.1", equalTo(sourceMap.get("origin_address")));
        assertThat("_uri", equalTo(sourceMap.get("uri")));