Log request body to audit logs #5071
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olkkoti
requested review from
cwperks,
DarshitChanpura,
derek-ho,
nibix,
peternied,
RyanL1997,
reta and
willyborankin
as code owners
olkkoti
changed the title
cwperks
reviewed
Jan 31, 2025
There was a problem hiding this comment.
wdyt about adding auditLog.logSucceededLogin(user.getName(), request); before each call to delegate.handleRequest(request, channel, client);?
We could also remove these calls from the BackendRegistry and rely on them to be called within here.
To enable audit logs for this category, you would need to add then AUTHENTICATED category as one of the enabled categories.
|
How about like this? |
olkkoti
force-pushed
the
auditlog-without-rest-authorization
branch
4 times, most recently
from
aef31e2 to
c49ca35
Compare
|
Hmm. Apparently at least in test cases user is allowed to be null here. I guess then we just dont do audit log? Or would it be better to call it with null effectiveUser? |
olkkoti
force-pushed
the
auditlog-without-rest-authorization
branch
2 times, most recently
from
bc1e52d to
e837d29
Compare
…try in order to get request body. This fixes the issue opensearch-project#4094 Signed-off-by: Timo Olkkonen <[email protected]>
olkkoti
force-pushed
the
auditlog-without-rest-authorization
branch
from
e837d29 to
e4f6268
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently we do not get request body to audit log, as requests are already authenticated in header verifier level, which does not have access to request body.
SecurityRestFilter has the whole RestRequest object, but it does not authenticate it again. Also, it does not authorize the request if the route is not a named one. The idea here is to do logGrantedPrivileges call even if we do not authorize. This way we will get the request body to audit log.
Issues Resolved
[BUG] audit_request_body missing for REST since 2.11
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.