Honor log_request_body setting in compliance audit log #4832
Conversation
Signed-off-by: Craig Perkins <[email protected]>
…he diffs Signed-off-by: Craig Perkins <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4832 +/- ##
==========================================
- Coverage 70.99% 70.76% -0.23%
==========================================
Files 310 310
Lines 20938 20952 +14
Branches 3326 3333 +7
==========================================
- Hits 14865 14827 -38
- Misses 4325 4376 +51
- Partials 1748 1749 +1
|
Signed-off-by: Craig Perkins <[email protected]>
cwperks
requested review from
DarshitChanpura,
derek-ho,
nibix,
peternied,
RyanL1997,
reta and
willyborankin
as code owners
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
cwperks
changed the title
| @@ -628,7 +633,7 @@ public void logDocumentWritten(ShardId shardId, GetResult originalResult, Index | |||
| } | |||
| } | |||
|
|
|||
| if (!complianceConfig.shouldLogWriteMetadataOnly()) { | |||
| if (!complianceConfig.shouldLogWriteMetadataOnly() && !complianceConfig.shouldLogDiffsForWrite()) { | |||
There was a problem hiding this comment.
Add this condition in so that the full request body is only logged if both compliance.write_metadata_only and compliance.write_log_diffs are both false. These settings seems to be in conflict:
Documentation: https://opensearch.org/docs/latest/security/access-control/api/
compliance.write_log_diffs Boolean Logs only diffs for document updates. Default is false.
compliance.write_metadata_only Boolean Log only metadata of the document for write events. Default is true.
The full body should only get audit logged if both compliance.write_metadata_only and compliance.write_log_diffs are false.
| new Tuple<XContentType, BytesReference>(XContentType.JSON, currentIndex.source()), | ||
| id | ||
| ); | ||
| } | ||
| } | ||
| } catch (Exception e) { | ||
| log.error(e.toString()); |
| new Tuple<XContentType, BytesReference>(XContentType.JSON, currentIndex.source()), | ||
| id | ||
| ); | ||
| if (auditConfigFilter.shouldLogRequestBody() || originalResult == null) { |
There was a problem hiding this comment.
Overall LGTM. I am not following why we need the originalResult == null check..
There was a problem hiding this comment.
is there a rule that "first" doc insert will have all possible audits published?
Description
This PR ensures that the value of
log_request_bodyis honored for the compliance logging. When using the compliance config, this PR will ensure that the document's source is audit logged in theaudit_request_bodywhen a document is first created, but otherwise it will not. Whenwrite_log_diffsis enabled, you can trace the full history of changes to documents on the tracked indices by looking for all events on the target index.By default, the security index gets events audit logged so Compliant logging is a good feature to use to trace changes to the security configuration.
Enhancement
Issues Resolved
#4534
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.