Improve auditing of API key authentication #58928

1. Add the `apikey.id`, `apikey.name` and `authentication.type` fields to the `access_granted`, `access_denied`, `authentication_success`, and (some) `tampered_request` audit events. The `apikey.id` and `apikey.name` are present only when authn using an API Key. 2. When authn with an API Key, the `user.realm` field now contains the effective realm name of the user that created the key, instead of the synthetic value of `_es_api_key`.
elastic · Jul 9, 2020 · 2b7456d · 2b7456d
1 parent d323f8d
commit 2b7456d
Show file tree

Hide file tree

Showing 11 changed files with 452 additions and 224 deletions.
diff --git a/x-pack/plugin/core/src/main/config/log4j2.properties b/x-pack/plugin/core/src/main/config/log4j2.properties
@@ -17,8 +17,11 @@ appender.audit_rolling.layout.pattern = {\
                 %varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\
                 %varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\
                 %varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\
+                %varsNotEmpty{, "apikey.id":"%enc{%map{apikey.id}}{JSON}"}\
+                %varsNotEmpty{, "apikey.name":"%enc{%map{apikey.name}}{JSON}"}\
                 %varsNotEmpty{, "user.roles":%map{user.roles}}\
                 %varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\
+                %varsNotEmpty{, "authentication.type":"%enc{%map{authentication.type}}{JSON}"}\
                 %varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\
                 %varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\
                 %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java
@@ -10,7 +10,6 @@
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
-import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 
@@ -22,9 +21,9 @@ public interface AuditTrail {
 
     String name();
 
-    void authenticationSuccess(String requestId, String realm, User user, RestRequest request);
+    void authenticationSuccess(String requestId, Authentication authentication, RestRequest request);
 
-    void authenticationSuccess(String requestId, String realm, User user, String action, TransportRequest transportRequest);
+    void authenticationSuccess(String requestId, Authentication authentication, String action, TransportRequest transportRequest);
 
     void anonymousAccessDenied(String requestId, String action, TransportRequest transportRequest);
 
@@ -52,7 +51,7 @@ void accessDenied(String requestId, Authentication authentication, String action
 
     void tamperedRequest(String requestId, String action, TransportRequest transportRequest);
 
-    void tamperedRequest(String requestId, User user, String action, TransportRequest transportRequest);
+    void tamperedRequest(String requestId, Authentication authentication, String action, TransportRequest transportRequest);
 
     /**
      * The {@link #connectionGranted(InetAddress, String, SecurityIpFilterRule)} and

diff --git a/...ugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/...ugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
@@ -12,7 +12,6 @@
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
-import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 
@@ -54,10 +53,11 @@ public String name() {
         }
 
         @Override
-        public void authenticationSuccess(String requestId, String realm, User user, RestRequest request) {}
+        public void authenticationSuccess(String requestId, Authentication authentication, RestRequest request) {}
 
         @Override
-        public void authenticationSuccess(String requestId, String realm, User user, String action, TransportRequest transportRequest) {}
+        public void authenticationSuccess(String requestId, Authentication authentication, String action,
+                                          TransportRequest transportRequest) {}
 
         @Override
         public void anonymousAccessDenied(String requestId, String action, TransportRequest transportRequest) {}
@@ -99,7 +99,7 @@ public void tamperedRequest(String requestId, RestRequest request) {}
         public void tamperedRequest(String requestId, String action, TransportRequest transportRequest) {}
 
         @Override
-        public void tamperedRequest(String requestId, User user, String action, TransportRequest transportRequest) {}
+        public void tamperedRequest(String requestId, Authentication authentication, String action, TransportRequest transportRequest) {}
 
         @Override
         public void connectionGranted(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {}
@@ -143,16 +143,17 @@ public String name() {
         }
 
         @Override
-        public void authenticationSuccess(String requestId, String realm, User user, RestRequest request) {
+        public void authenticationSuccess(String requestId, Authentication authentication, RestRequest request) {
             for (AuditTrail auditTrail : auditTrails) {
-                auditTrail.authenticationSuccess(requestId, realm, user, request);
+                auditTrail.authenticationSuccess(requestId, authentication, request);
             }
         }
 
         @Override
-        public void authenticationSuccess(String requestId, String realm, User user, String action, TransportRequest transportRequest) {
+        public void authenticationSuccess(String requestId, Authentication authentication, String action,
+                                          TransportRequest transportRequest) {
             for (AuditTrail auditTrail : auditTrails) {
-                auditTrail.authenticationSuccess(requestId, realm, user, action, transportRequest);
+                auditTrail.authenticationSuccess(requestId, authentication, action, transportRequest);
             }
         }
 
@@ -244,9 +245,9 @@ public void tamperedRequest(String requestId, String action, TransportRequest tr
         }
 
         @Override
-        public void tamperedRequest(String requestId, User user, String action, TransportRequest transportRequest) {
+        public void tamperedRequest(String requestId, Authentication authentication, String action, TransportRequest transportRequest) {
             for (AuditTrail auditTrail : auditTrails) {
-                auditTrail.tamperedRequest(requestId, user, action, transportRequest);
+                auditTrail.tamperedRequest(requestId, authentication, action, transportRequest);
             }
         }