[PR] Add audit logging to BasicAuthorizerResource update methods (druid)

Tue, 15 Apr 2025 01:04:17 -0700 


lujiefsi opened a new pull request, #17916:
URL: https://github.com/apache/druid/pull/17916

   # Pull Request: Add audit logging to BasicAuthorizerResource update methods
   
   ## Related Issue
   Fixes #17914
   
   ## Description
   This PR adds missing audit logging to three update methods in the 
BasicAuthorizerResource class. Without these audit logs, changes to user 
authorizations and group mappings were not being properly tracked, creating a 
security monitoring gap.
   
   The following methods now include audit logging:
   - `authorizerUserUpdateListener`
   - `authorizerGroupMappingUpdateListener`
   - `authorizerUpdateListener` (deprecated)
   
   Each method now calls `performAuditIfSuccess()` after processing but before 
returning the response, ensuring that successful update operations are properly 
recorded in the audit log. The audit messages include the authorizer name and 
payload size to provide context about the operations being performed.
   
   ## Changes Made
   Added audit logging calls to three methods in `BasicAuthorizerResource.java`:
   
   ```java
   performAuditIfSuccess(
       authorizerName,
       req,
       response,
       "Update user authorizations for authorizer[%s]",
       authorizerName);
   ```
   
   Similar patterns were added to the other two methods, following the existing 
audit logging pattern used elsewhere in the class.
   
   ## Testing Done
   - Verified that audit logs are correctly generated when these methods are 
called
   - Confirmed that the log messages contain the appropriate context information
   - Ensured that the existing functionality works correctly with the added 
audit logging
   
   ## Additional Notes
   This change improves security monitoring and compliance by ensuring all 
authorization-related changes are properly tracked in audit logs, closing a 
security gap identified in issue #17914.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to