Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Emit trace.id into audit logs #82849

Merged
merged 11 commits into from
Jan 25, 2022
Merged

Emit trace.id into audit logs #82849

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
31e2e9c
draft
pgomulka Jan 20, 2022
c261ef7
tests and renames
pgomulka Jan 20, 2022
d172941
Update docs/changelog/82849.yaml
pgomulka Jan 20, 2022
f93e14e
unused method
pgomulka Jan 20, 2022
6ed9e3f
Merge branch 'add_trace_id_audit_trail' of github.com:pgomulka/elasti…
pgomulka Jan 20, 2022
8d8f9fb
only one area
pgomulka Jan 20, 2022
e1b710c
Merge remote-tracking branch 'upstream/master' into add_trace_id_audi…
pgomulka Jan 20, 2022
891f6c2
add docs
pgomulka Jan 25, 2022
1d37f55
update x-opaque-id
pgomulka Jan 25, 2022
653fd13
tweak doc
pgomulka Jan 25, 2022
4aed541
Merge remote-tracking branch 'upstream/master' into add_trace_id_audi…
pgomulka Jan 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/changelog/82849.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 82849
summary: Emit `trace.id` into audit logs
area: "Audit"
type: enhancement
issues: []
1 change: 1 addition & 0 deletions x-pack/plugin/core/src/main/config/log4j2.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ appender.audit_rolling.layout.pattern = {\
%varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\
%varsNotEmpty{, "indices":%map{indices}}\
%varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\
%varsNotEmpty{, "trace.id":"%enc{%map{trace.id}}{JSON}"}\
%varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\
%varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\
%varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\
Expand Down
82 changes: 30 additions & 52 deletions ...urity/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
public static final String TRANSPORT_PROFILE_FIELD_NAME = "transport.profile";
public static final String RULE_FIELD_NAME = "rule";
public static final String OPAQUE_ID_FIELD_NAME = "opaque_id";
public static final String TRACE_ID_FIELD_NAME = "trace.id";
public static final String X_FORWARDED_FOR_FIELD_NAME = "x_forwarded_for";
// the fields below are used exclusively for "security_config_change" type of events, and show the configuration
// object taking effect; it could be creating a new, or updating an existing configuration
Expand Down Expand Up @@ -457,8 +458,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio
.withAuthentication(authentication)
.withRestOrigin(request)
.withRequestBody(request)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -486,8 +486,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio
.withAuthentication(authentication)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -506,8 +505,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportRequ
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -523,8 +521,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -543,8 +540,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext);
.withThreadContext(threadContext);
if (token instanceof ServiceAccountToken) {
logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName());
}
Expand All @@ -562,8 +558,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -581,8 +576,7 @@ public void authenticationFailed(String requestId, String action, TransportReque
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -600,8 +594,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext);
.withThreadContext(threadContext);
if (token instanceof ServiceAccountToken) {
logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName());
}
Expand Down Expand Up @@ -630,8 +623,7 @@ public void authenticationFailed(
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -650,8 +642,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -687,8 +678,7 @@ public void accessGranted(
.withAuthentication(authentication)
.withRestOrTransportOrigin(msg, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.with(authorizationInfo.asMap())
.build();
}
Expand Down Expand Up @@ -795,8 +785,7 @@ public void explicitIndexAccessEvent(
.withRequestId(requestId)
.withAuthentication(authentication)
.with(INDICES_FIELD_NAME, indices)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.with(authorizationInfo.asMap());
final InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext);
if (restAddress != null) {
Expand Down Expand Up @@ -841,8 +830,7 @@ public void accessDenied(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -857,8 +845,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -876,8 +863,7 @@ public void tamperedRequest(String requestId, String action, TransportRequest tr
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -906,8 +892,7 @@ public void tamperedRequest(String requestId, Authentication authentication, Str
.withRestOrTransportOrigin(transportRequest, threadContext)
.withAuthentication(authentication)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -925,8 +910,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -943,8 +927,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -979,8 +962,7 @@ public void runAsGranted(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -1016,8 +998,7 @@ public void runAsDenied(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -1045,8 +1026,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -1473,20 +1453,18 @@ LogEntryBuilder withRequestId(String requestId) {
return this;
}

LogEntryBuilder withOpaqueId(ThreadContext threadContext) {
final String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID_HTTP_HEADER);
if (opaqueId != null) {
logEntry.with(OPAQUE_ID_FIELD_NAME, opaqueId);
}
LogEntryBuilder withThreadContext(ThreadContext threadContext) {
setThreadContextField(threadContext, AuditTrail.X_FORWARDED_FOR_HEADER, X_FORWARDED_FOR_FIELD_NAME);
setThreadContextField(threadContext, Task.X_OPAQUE_ID_HTTP_HEADER, OPAQUE_ID_FIELD_NAME);
setThreadContextField(threadContext, Task.TRACE_ID, TRACE_ID_FIELD_NAME);
return this;
}

LogEntryBuilder withXForwardedFor(ThreadContext threadContext) {
final String xForwardedFor = threadContext.getHeader(AuditTrail.X_FORWARDED_FOR_HEADER);
if (xForwardedFor != null) {
logEntry.with(X_FORWARDED_FOR_FIELD_NAME, xForwardedFor);
private void setThreadContextField(ThreadContext threadContext, String threadContextFieldName, String auditLogFieldName) {
final String fieldValue = threadContext.getHeader(threadContextFieldName);
if (fieldValue != null) {
logEntry.with(auditLogFieldName, fieldValue);
}
return this;
}

LogEntryBuilder withAuthentication(Authentication authentication) {
Expand Down
Loading