Add audit logging for bulk role APIs #110410
Conversation
jfreden
force-pushed
the
add_audit_logging_bulk
branch
from
985a1d9
to
89959d7
Compare
jfreden
force-pushed
the
add_audit_logging_bulk
branch
from
89959d7
to
4b91205
Compare
|
Pinging @elastic/es-security (Team:Security) |
| logEntry.with(EVENT_ACTION_FIELD_NAME, "bulk_put_role"); | ||
| XContentBuilder builder = JsonXContent.contentBuilder().humanReadable(true); | ||
| builder.startObject().startObject("roles"); | ||
|
|
||
| for (RoleDescriptor roleDescriptor : bulkPutRoleRequest.getRoles()) { | ||
| withRoleDescriptor(builder.field(roleDescriptor.getName()), roleDescriptor); | ||
| } | ||
|
|
||
| builder.endObject().endObject(); | ||
| logEntry.with(CHANGE_CONFIG_FIELD_NAME, Strings.toString(builder)); |
There was a problem hiding this comment.
This is a good option.
Another option is to create separate audit entries for every role, maintaining the format of the individual audit entry. That's important because audit entries could be indexed.
I suggest hearing what the broader team has to say. Could you please raise it in the team meeting today?
There was a problem hiding this comment.
Yes, good point. Thanks for raising this.
There was a problem hiding this comment.
Raised this in the weekly security meeting and we agreed to change this to separate audit entries per role. Thanks for the suggestion @albertzaharovits !
|
I've changed approach to generate one log entry per bulk item. All the entries for a bulk request will now be under the same request id. I couldn't find anywhere else where we do that so wanted to discuss the possible side effects of that? Any thoughts @albertzaharovits ? |
There should be no problem here. The requestId is exactly used to correlate multiple audit entries in relation to the same request. The fact that a single request generates multiple audit entries "at a time" should not matter. |
|
Thanks for confirming! |
💔 Backport failedThe backport operation could not be completed due to the following error: You can use sqren/backport to manually backport by running |
* Add audit logging for bulk put role
This adds audit logging to the new role bulk put and delete apis added in: #110383 #109339
_Bulk Put Roles Audit Log - a single put role entry per add
{"type":"audit", "timestamp":"2567-07-05T13:38:39,716+0400", "cluster.name":"roAXTKDMZrpgEUGy", "host.name":"0.0.0.0", "host.ip":"0.0.0.0", "event.type":"security_config_change", "event.action":"put_role", "request.id":"HkONdJnzsupYtgj", "put":{"role":{"name":"null_role","role_descriptor":{"cluster":[],"indices":[],"applications":[],"run_as":[]}}}}{"type":"audit", "timestamp":"2567-07-05T13:38:39,716+0400", "cluster.name":"roAXTKDMZrpgEUGy", "host.name":"0.0.0.0", "host.ip":"0.0.0.0", "event.type":"security_config_change", "event.action":"put_role", "request.id":"HkONdJnzsupYtgj", "put":{"role":{"name":"role_descriptor1","role_descriptor":{"cluster":["monitor"],"indices":[{"names":["test*"],"privileges":["read","create_index"],"field_security":{"grant":["grantedField1"]},"query":"{\"match_all\":{}}","allow_restricted_indices":true}],"applications":[],"run_as":[]}}}}_Bulk Delete Roles Audit Log - a single delete role entry per delete
{"type":"audit", "timestamp":"2567-07-05T13:40:33,678+0400", "cluster.name":"roAXTKDMZrpgEUGy", "host.name":"0.0.0.0", "host.ip":"0.0.0.0", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"HkONdJnzsupYtgj", "delete":{"role":{"name":"null_role"}}}{"type":"audit", "timestamp":"2567-07-05T13:40:33,679+0400", "cluster.name":"roAXTKDMZrpgEUGy", "host.name":"0.0.0.0", "host.ip":"0.0.0.0", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"HkONdJnzsupYtgj", "delete":{"role":{"name":"role_descriptor1"}}}