[Audit Logging] Add AuditTrail service (#69278)

* add generic audit_trail service in core

* expose auditTraik service to plugins

* add auditTrail x-pack plugin

* fix type errors

* update mocks

* expose asScoped interface via start. auditor via  request context

* use type from audit trail service

* wrap getActiveSpace in safeCall only. it throws exception for non-authz

* pass message to log explicitly

* update docs

* create one auditor per request

* wire es client up to auditor

* update docs

* withScope accepts only one scope

* use scoped client in context for callAsInternalUser

* use auditor in scoped cluster client

* adopt auditTrail plugin to new interface. configure log from config

* do not log audit events in console by default

* add audit trail functional tests

* cleanup

* add example

* add mocks for spaces plugin

* add unit tests

* update docs

* test description

* Apply suggestions from code review

apply @jportner suggestions

Co-authored-by: Joe Portner <[email protected]>

* add unit tests

* more robust tests

* make spaces optional

* address comments

* update docs

* fix WebStorm refactoring

Co-authored-by: Joe Portner <[email protected]>

docs/development/core/server/kibana-plugin-core-server.auditableevent.md

@@ -0,0 +1,25 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditableEvent](./kibana-plugin-core-server.auditableevent.md)
+
+## AuditableEvent interface
+
+Event to audit.
+
+<b>Signature:</b>
+
+```typescript
+export interface AuditableEvent 
+```
+
+## Remarks
+
+Not a complete interface.
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [message](./kibana-plugin-core-server.auditableevent.message.md) | <code>string</code> |  |
+|  [type](./kibana-plugin-core-server.auditableevent.type.md) | <code>string</code> |  |
+

docs/development/core/server/kibana-plugin-core-server.auditableevent.message.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditableEvent](./kibana-plugin-core-server.auditableevent.md) &gt; [message](./kibana-plugin-core-server.auditableevent.message.md)
+
+## AuditableEvent.message property
+
+<b>Signature:</b>
+
+```typescript
+message: string;
+```

docs/development/core/server/kibana-plugin-core-server.auditableevent.type.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditableEvent](./kibana-plugin-core-server.auditableevent.md) &gt; [type](./kibana-plugin-core-server.auditableevent.type.md)
+
+## AuditableEvent.type property
+
+<b>Signature:</b>
+
+```typescript
+type: string;
+```

docs/development/core/server/kibana-plugin-core-server.auditor.add.md

@@ -0,0 +1,36 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [Auditor](./kibana-plugin-core-server.auditor.md) &gt; [add](./kibana-plugin-core-server.auditor.add.md)
+
+## Auditor.add() method
+
+Add a record to audit log. Service attaches to a log record: - metadata about an end-user initiating an operation - scope name, if presents
+
+<b>Signature:</b>
+
+```typescript
+add(event: AuditableEvent): void;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  event | <code>AuditableEvent</code> |  |
+
+<b>Returns:</b>
+
+`void`
+
+## Example
+
+How to add a record in audit log:
+
+```typescript
+router.get({ path: '/my_endpoint', validate: false }, async (context, request, response) => {
+  context.core.auditor.withAuditScope('my_plugin_operation');
+  const value = await context.core.elasticsearch.legacy.client.callAsCurrentUser('...');
+  context.core.add({ type: 'operation.type', message: 'perform an operation in ... endpoint' });
+
+```
+

docs/development/core/server/kibana-plugin-core-server.auditor.md

@@ -0,0 +1,21 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [Auditor](./kibana-plugin-core-server.auditor.md)
+
+## Auditor interface
+
+Provides methods to log user actions and access events.
+
+<b>Signature:</b>
+
+```typescript
+export interface Auditor 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [add(event)](./kibana-plugin-core-server.auditor.add.md) | Add a record to audit log. Service attaches to a log record: - metadata about an end-user initiating an operation - scope name, if presents |
+|  [withAuditScope(name)](./kibana-plugin-core-server.auditor.withauditscope.md) | Add a high-level scope name for logged events. It helps to identify the root cause of low-level events. |
+

docs/development/core/server/kibana-plugin-core-server.auditor.withauditscope.md

@@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [Auditor](./kibana-plugin-core-server.auditor.md) &gt; [withAuditScope](./kibana-plugin-core-server.auditor.withauditscope.md)
+
+## Auditor.withAuditScope() method
+
+Add a high-level scope name for logged events. It helps to identify the root cause of low-level events.
+
+<b>Signature:</b>
+
+```typescript
+withAuditScope(name: string): void;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  name | <code>string</code> |  |
+
+<b>Returns:</b>
+
+`void`
+

docs/development/core/server/kibana-plugin-core-server.auditorfactory.asscoped.md

@@ -0,0 +1,22 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditorFactory](./kibana-plugin-core-server.auditorfactory.md) &gt; [asScoped](./kibana-plugin-core-server.auditorfactory.asscoped.md)
+
+## AuditorFactory.asScoped() method
+
+<b>Signature:</b>
+
+```typescript
+asScoped(request: KibanaRequest): Auditor;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  request | <code>KibanaRequest</code> |  |
+
+<b>Returns:</b>
+
+`Auditor`
+

docs/development/core/server/kibana-plugin-core-server.auditorfactory.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditorFactory](./kibana-plugin-core-server.auditorfactory.md)
+
+## AuditorFactory interface
+
+Creates [Auditor](./kibana-plugin-core-server.auditor.md) instance bound to the current user credentials.
+
+<b>Signature:</b>
+
+```typescript
+export interface AuditorFactory 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [asScoped(request)](./kibana-plugin-core-server.auditorfactory.asscoped.md) |  |
+

docs/development/core/server/kibana-plugin-core-server.audittrailsetup.md

@@ -0,0 +1,18 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md)
+
+## AuditTrailSetup interface
+
+<b>Signature:</b>
+
+```typescript
+export interface AuditTrailSetup 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [register(auditor)](./kibana-plugin-core-server.audittrailsetup.register.md) | Register a custom [AuditorFactory](./kibana-plugin-core-server.auditorfactory.md) implementation. |
+

docs/development/core/server/kibana-plugin-core-server.audittrailsetup.register.md

@@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md) &gt; [register](./kibana-plugin-core-server.audittrailsetup.register.md)
+
+## AuditTrailSetup.register() method
+
+Register a custom [AuditorFactory](./kibana-plugin-core-server.auditorfactory.md) implementation.
+
+<b>Signature:</b>
+
+```typescript
+register(auditor: AuditorFactory): void;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  auditor | <code>AuditorFactory</code> |  |
+
+<b>Returns:</b>
+
+`void`
+

docs/development/core/server/kibana-plugin-core-server.audittrailstart.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [AuditTrailStart](./kibana-plugin-core-server.audittrailstart.md)
+
+## AuditTrailStart type
+
+<b>Signature:</b>
+
+```typescript
+export declare type AuditTrailStart = AuditorFactory;
+```

docs/development/core/server/kibana-plugin-core-server.coresetup.audittrail.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [CoreSetup](./kibana-plugin-core-server.coresetup.md) &gt; [auditTrail](./kibana-plugin-core-server.coresetup.audittrail.md)
+
+## CoreSetup.auditTrail property
+
+[AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md)
+
+<b>Signature:</b>
+
+```typescript
+auditTrail: AuditTrailSetup;
+```

docs/development/core/server/kibana-plugin-core-server.coresetup.md

@@ -16,6 +16,7 @@ export interface CoreSetup<TPluginsStart extends object = object, TStart = unkno
 
 |  Property | Type | Description |
 |  --- | --- | --- |
+|  [auditTrail](./kibana-plugin-core-server.coresetup.audittrail.md) | <code>AuditTrailSetup</code> | [AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md) |
 |  [capabilities](./kibana-plugin-core-server.coresetup.capabilities.md) | <code>CapabilitiesSetup</code> | [CapabilitiesSetup](./kibana-plugin-core-server.capabilitiessetup.md) |
 |  [context](./kibana-plugin-core-server.coresetup.context.md) | <code>ContextSetup</code> | [ContextSetup](./kibana-plugin-core-server.contextsetup.md) |
 |  [elasticsearch](./kibana-plugin-core-server.coresetup.elasticsearch.md) | <code>ElasticsearchServiceSetup</code> | [ElasticsearchServiceSetup](./kibana-plugin-core-server.elasticsearchservicesetup.md) |

docs/development/core/server/kibana-plugin-core-server.corestart.audittrail.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [CoreStart](./kibana-plugin-core-server.corestart.md) &gt; [auditTrail](./kibana-plugin-core-server.corestart.audittrail.md)
+
+## CoreStart.auditTrail property
+
+[AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md)
+
+<b>Signature:</b>
+
+```typescript
+auditTrail: AuditTrailStart;
+```

docs/development/core/server/kibana-plugin-core-server.corestart.md

@@ -16,6 +16,7 @@ export interface CoreStart
 
 |  Property | Type | Description |
 |  --- | --- | --- |
+|  [auditTrail](./kibana-plugin-core-server.corestart.audittrail.md) | <code>AuditTrailStart</code> | [AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md) |
 |  [capabilities](./kibana-plugin-core-server.corestart.capabilities.md) | <code>CapabilitiesStart</code> | [CapabilitiesStart](./kibana-plugin-core-server.capabilitiesstart.md) |
 |  [elasticsearch](./kibana-plugin-core-server.corestart.elasticsearch.md) | <code>ElasticsearchServiceStart</code> | [ElasticsearchServiceStart](./kibana-plugin-core-server.elasticsearchservicestart.md) |
 |  [http](./kibana-plugin-core-server.corestart.http.md) | <code>HttpServiceStart</code> | [HttpServiceStart](./kibana-plugin-core-server.httpservicestart.md) |

docs/development/core/server/kibana-plugin-core-server.httpserverinfo.hostname.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [HttpServerInfo](./kibana-plugin-core-server.httpserverinfo.md) &gt; [hostname](./kibana-plugin-core-server.httpserverinfo.hostname.md)
+
+## HttpServerInfo.hostname property
+
+The hostname of the server
+
+<b>Signature:</b>
+
+```typescript
+hostname: string;
+```

docs/development/core/server/kibana-plugin-core-server.legacyclusterclient._constructor_.md

@@ -9,7 +9,7 @@ Constructs a new instance of the `LegacyClusterClient` class
 <b>Signature:</b>
 
 ```typescript
-constructor(config: LegacyElasticsearchClientConfig, log: Logger, getAuthHeaders?: GetAuthHeaders);
+constructor(config: LegacyElasticsearchClientConfig, log: Logger, getAuditorFactory: () => AuditorFactory, getAuthHeaders?: GetAuthHeaders);
 ```
 
 ## Parameters
@@ -18,5 +18,6 @@ constructor(config: LegacyElasticsearchClientConfig, log: Logger, getAuthHeaders
 |  --- | --- | --- |
 |  config | <code>LegacyElasticsearchClientConfig</code> |  |
 |  log | <code>Logger</code> |  |
+|  getAuditorFactory | <code>() =&gt; AuditorFactory</code> |  |
 |  getAuthHeaders | <code>GetAuthHeaders</code> |  |
 

docs/development/core/server/kibana-plugin-core-server.legacyclusterclient.md

@@ -15,7 +15,7 @@ export declare class LegacyClusterClient implements ILegacyClusterClient
 
 |  Constructor | Modifiers | Description |
 |  --- | --- | --- |
-|  [(constructor)(config, log, getAuthHeaders)](./kibana-plugin-core-server.legacyclusterclient._constructor_.md) |  | Constructs a new instance of the <code>LegacyClusterClient</code> class |
+|  [(constructor)(config, log, getAuditorFactory, getAuthHeaders)](./kibana-plugin-core-server.legacyclusterclient._constructor_.md) |  | Constructs a new instance of the <code>LegacyClusterClient</code> class |
 
 ## Properties
 

docs/development/core/server/kibana-plugin-core-server.legacyscopedclusterclient._constructor_.md

@@ -9,7 +9,7 @@ Constructs a new instance of the `LegacyScopedClusterClient` class
 <b>Signature:</b>
 
 ```typescript
-constructor(internalAPICaller: LegacyAPICaller, scopedAPICaller: LegacyAPICaller, headers?: Headers | undefined);
+constructor(internalAPICaller: LegacyAPICaller, scopedAPICaller: LegacyAPICaller, headers?: Headers | undefined, auditor?: Auditor | undefined);
 ```
 
 ## Parameters
@@ -19,4 +19,5 @@ constructor(internalAPICaller: LegacyAPICaller, scopedAPICaller: LegacyAPICaller
 |  internalAPICaller | <code>LegacyAPICaller</code> |  |
 |  scopedAPICaller | <code>LegacyAPICaller</code> |  |
 |  headers | <code>Headers &#124; undefined</code> |  |
+|  auditor | <code>Auditor &#124; undefined</code> |  |
 

docs/development/core/server/kibana-plugin-core-server.legacyscopedclusterclient.md

@@ -15,7 +15,7 @@ export declare class LegacyScopedClusterClient implements ILegacyScopedClusterCl
 
 |  Constructor | Modifiers | Description |
 |  --- | --- | --- |
-|  [(constructor)(internalAPICaller, scopedAPICaller, headers)](./kibana-plugin-core-server.legacyscopedclusterclient._constructor_.md) |  | Constructs a new instance of the <code>LegacyScopedClusterClient</code> class |
+|  [(constructor)(internalAPICaller, scopedAPICaller, headers, auditor)](./kibana-plugin-core-server.legacyscopedclusterclient._constructor_.md) |  | Constructs a new instance of the <code>LegacyScopedClusterClient</code> class |
 
 ## Methods
 

docs/development/core/server/kibana-plugin-core-server.md

@@ -56,6 +56,10 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  --- | --- |
 |  [AssistanceAPIResponse](./kibana-plugin-core-server.assistanceapiresponse.md) |  |
 |  [AssistantAPIClientParams](./kibana-plugin-core-server.assistantapiclientparams.md) |  |
+|  [AuditableEvent](./kibana-plugin-core-server.auditableevent.md) | Event to audit. |
+|  [Auditor](./kibana-plugin-core-server.auditor.md) | Provides methods to log user actions and access events. |
+|  [AuditorFactory](./kibana-plugin-core-server.auditorfactory.md) | Creates [Auditor](./kibana-plugin-core-server.auditor.md) instance bound to the current user credentials. |
+|  [AuditTrailSetup](./kibana-plugin-core-server.audittrailsetup.md) |  |
 |  [Authenticated](./kibana-plugin-core-server.authenticated.md) |  |
 |  [AuthNotHandled](./kibana-plugin-core-server.authnothandled.md) |  |
 |  [AuthRedirected](./kibana-plugin-core-server.authredirected.md) |  |
@@ -212,6 +216,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  Type Alias | Description |
 |  --- | --- |
 |  [AppenderConfigType](./kibana-plugin-core-server.appenderconfigtype.md) |  |
+|  [AuditTrailStart](./kibana-plugin-core-server.audittrailstart.md) |  |
 |  [AuthenticationHandler](./kibana-plugin-core-server.authenticationhandler.md) | See [AuthToolkit](./kibana-plugin-core-server.authtoolkit.md)<!-- -->. |
 |  [AuthHeaders](./kibana-plugin-core-server.authheaders.md) | Auth Headers map |
 |  [AuthResult](./kibana-plugin-core-server.authresult.md) |  |

docs/development/core/server/kibana-plugin-core-server.requesthandlercontext.core.md

@@ -20,5 +20,6 @@ core: {
         uiSettings: {
             client: IUiSettingsClient;
         };
+        auditor: Auditor;
     };
 ```

docs/development/core/server/kibana-plugin-core-server.requesthandlercontext.md

@@ -18,5 +18,5 @@ export interface RequestHandlerContext
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [core](./kibana-plugin-core-server.requesthandlercontext.core.md) | <code>{</code><br/><code>        savedObjects: {</code><br/><code>            client: SavedObjectsClientContract;</code><br/><code>            typeRegistry: ISavedObjectTypeRegistry;</code><br/><code>        };</code><br/><code>        elasticsearch: {</code><br/><code>            legacy: {</code><br/><code>                client: ILegacyScopedClusterClient;</code><br/><code>            };</code><br/><code>        };</code><br/><code>        uiSettings: {</code><br/><code>            client: IUiSettingsClient;</code><br/><code>        };</code><br/><code>    }</code> |  |
+|  [core](./kibana-plugin-core-server.requesthandlercontext.core.md) | <code>{</code><br/><code>        savedObjects: {</code><br/><code>            client: SavedObjectsClientContract;</code><br/><code>            typeRegistry: ISavedObjectTypeRegistry;</code><br/><code>        };</code><br/><code>        elasticsearch: {</code><br/><code>            legacy: {</code><br/><code>                client: ILegacyScopedClusterClient;</code><br/><code>            };</code><br/><code>        };</code><br/><code>        uiSettings: {</code><br/><code>            client: IUiSettingsClient;</code><br/><code>        };</code><br/><code>        auditor: Auditor;</code><br/><code>    }</code> |  |
 

docs/development/plugins/kibana_utils/common/state_containers/kibana-plugin-plugins-kibana_utils-common-state_containers.comparator.md

@@ -4,7 +4,7 @@
 
 ## Comparator type
 
-Used to compare state. see [useContainerSelector](./kibana-plugin-plugins-kibana_utils-common-state_containers.usecontainerselector.md)
+Used to compare state, see [useContainerSelector](./kibana-plugin-plugins-kibana_utils-common-state_containers.usecontainerselector.md)<!-- -->.
 
 <b>Signature:</b>
 

docs/development/plugins/kibana_utils/common/state_containers/kibana-plugin-plugins-kibana_utils-common-state_containers.connect.md

@@ -4,7 +4,7 @@
 
 ## Connect type
 
-Similar to `connect` from react-redux, allows to map state from state container to component's props
+Similar to `connect` from react-redux, allows to map state from state container to component's props.
 
 <b>Signature:</b>