lujiefsi opened a new issue, #17914:
URL: https://github.com/apache/druid/issues/17914
## Description
### Issue Summary
The `BasicAuthorizerResource` class is missing audit logs for critical
update operations related to the authorization system. While the class
correctly implements audit logging for create and delete operations, it fails
to record audit trails for update operations that modify system state.
### Affected Components
-
`org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource`
### Missing Audit Logs
The following update methods lack audit logging:
1. `authorizerUserUpdateListener(HttpServletRequest, String, byte[])` -
Handles update notifications for user authorization data
2. `authorizerGroupMappingUpdateListener(HttpServletRequest, String,
byte[])` - Handles update notifications for group mapping authorization data
3. `authorizerUpdateListener(HttpServletRequest, String, byte[])` -
Deprecated method, but still active and missing audit logs
### Impact
The lack of audit logs for these update operations creates a security gap in
the system's audit trail. When authorization data is updated through these
endpoints, there is no record of who performed these changes, which violates
security best practices and may impact compliance requirements.
### Security Implications
- Inability to track who modified authorization data
- Incomplete audit trails for security investigations
- Potential compliance issues with security frameworks requiring
comprehensive audit logging
## Proposed Solution
Implement audit logging for all update operations by adding calls to the
`performAuditIfSuccess()` method after each update operation, similar to how
it's implemented for create and delete operations.
Example implementation for `authorizerUserUpdateListener()`:
```java
public Response authorizerUserUpdateListener(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
byte[] serializedUserAndRoleMap
) {
authValidator.validateAuthorizerName(authorizerName);
final Response response =
resourceHandler.authorizerUserUpdateListener(authorizerName,
serializedUserAndRoleMap);
performAuditIfSuccess(authorizerName, req, response, "Update user
authorization for authorizer[%s]", authorizerName);
return response;
}
```
Similar implementations should be added for the other update methods.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
