jerryshao opened a new pull request, #11618:
URL: https://github.com/apache/gravitino/pull/11618
### What changes were proposed in this pull request?
Adds an `HttpAuditFilter` servlet filter registered on the main Gravitino
server
(`/api/*`), Iceberg REST server (`/iceberg/*`), and Lance REST server
(`/lance/*`).
The filter emits `HttpRequestFailureEvent` for every HTTP 4xx/5xx response
when no
operation-layer failure event was already dispatched on the same thread,
closing the
audit coverage gap for authentication failures, malformed requests, and
unknown routes.
A new `AuthorizationDenialFailureEvent` is dispatched by
`GravitinoInterceptionService` for executor denials and `ForbiddenException`,
carrying the authenticated user, resource identifier, intercepted method
name, and
authorization expression for rich audit attribution.
`NoSuchMetalakeException` (a
resource-not-found masquerading as 403) intentionally falls through to the
generic
HTTP-level event to avoid information disclosure.
Double-logging prevention: `EventBus.dispatchFailureEvent()` sets a
`RequestContext.operationFailureFired` flag for every
non-`HttpRequestFailureEvent`
failure; `HttpAuditFilter` checks the flag in its `finally` block and skips
emission
if already set.
### Why are the changes needed?
Fix: #11230
HTTP-layer failures (401 auth rejections, 400 malformed JSON, 404 unknown
routes,
403 authorization denials) currently produce no audit record. Enterprise
users running
Gravitino in regulated environments require a complete audit trail —
including failed
access attempts — to satisfy compliance requirements.
### Does this PR introduce _any_ user-facing change?
- New audit log entries for all HTTP 4xx/5xx failures with fields:
`user`, `opType` (`UNKNOWN` or `AUTHORIZATION_DENIAL`), `identifier`,
`status`,
`source` (`GRAVITINO_SERVER` / `GRAVITINO_ICEBERG_REST_SERVER` /
`GRAVITINO_LANCE_REST_SERVER`),
`remoteAddr`, and `customInfo` (`http.method`, `http.uri`, `http.status`
for HTTP
events; `auth.method`, `auth.expression` for authorization denial events).
- New `OperationType.AUTHORIZATION_DENIAL` and
`AuditLog.Operation.AUTHORIZATION_DENIAL`
enum values in the public audit API.
- New `EventSource.GRAVITINO_LANCE_REST_SERVER` enum value.
- New public event classes: `HttpRequestFailureEvent`,
`AuthorizationDenialFailureEvent`.
### How was this patch tested?
- Unit tests: `TestHttpAuditFilter` (6 cases), `TestEventBus` (2 new
flag-marking
cases), `TestGravitinoInterceptionService` (3 new cases for executor
denial,
`ForbiddenException`, and `NoSuchMetalakeException` paths).
- Coverage tests: `TestOperation`, `TestCompatibilityUtils`,
`TestSimpleAuditLogV2`,
`TestAuthorizationDenialFailureEvent`, `TestHttpRequestFailureEvent`.
- Integration tests: `HttpAuditFilterIT`, `HttpAuditAuthzDenialIT`.
- Manual end-to-end: all 18 test cases (TC-A1–A4, TC-B1–B5, TC-C1–C8,
TC-D1–D2)
verified against the running distribution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]