jerryshao opened a new pull request, #11618:
URL: https://github.com/apache/gravitino/pull/11618

   ### What changes were proposed in this pull request?
   
   Adds an `HttpAuditFilter` servlet filter registered on the main Gravitino 
server
   (`/api/*`), Iceberg REST server (`/iceberg/*`), and Lance REST server 
(`/lance/*`).
   The filter emits `HttpRequestFailureEvent` for every HTTP 4xx/5xx response 
when no
   operation-layer failure event was already dispatched on the same thread, 
closing the
   audit coverage gap for authentication failures, malformed requests, and 
unknown routes.
   
   A new `AuthorizationDenialFailureEvent` is dispatched by
   `GravitinoInterceptionService` for executor denials and `ForbiddenException`,
   carrying the authenticated user, resource identifier, intercepted method 
name, and
   authorization expression for rich audit attribution. 
`NoSuchMetalakeException` (a
   resource-not-found masquerading as 403) intentionally falls through to the 
generic
   HTTP-level event to avoid information disclosure.
   
   Double-logging prevention: `EventBus.dispatchFailureEvent()` sets a
   `RequestContext.operationFailureFired` flag for every 
non-`HttpRequestFailureEvent`
   failure; `HttpAuditFilter` checks the flag in its `finally` block and skips 
emission
   if already set.
   
   ### Why are the changes needed?
   
   Fix: #11230
   
   HTTP-layer failures (401 auth rejections, 400 malformed JSON, 404 unknown 
routes,
   403 authorization denials) currently produce no audit record. Enterprise 
users running
   Gravitino in regulated environments require a complete audit trail — 
including failed
   access attempts — to satisfy compliance requirements.
   
   ### Does this PR introduce _any_ user-facing change?
   
   - New audit log entries for all HTTP 4xx/5xx failures with fields:
     `user`, `opType` (`UNKNOWN` or `AUTHORIZATION_DENIAL`), `identifier`, 
`status`,
     `source` (`GRAVITINO_SERVER` / `GRAVITINO_ICEBERG_REST_SERVER` / 
`GRAVITINO_LANCE_REST_SERVER`),
     `remoteAddr`, and `customInfo` (`http.method`, `http.uri`, `http.status` 
for HTTP
     events; `auth.method`, `auth.expression` for authorization denial events).
   - New `OperationType.AUTHORIZATION_DENIAL` and 
`AuditLog.Operation.AUTHORIZATION_DENIAL`
     enum values in the public audit API.
   - New `EventSource.GRAVITINO_LANCE_REST_SERVER` enum value.
   - New public event classes: `HttpRequestFailureEvent`, 
`AuthorizationDenialFailureEvent`.
   
   ### How was this patch tested?
   
   - Unit tests: `TestHttpAuditFilter` (6 cases), `TestEventBus` (2 new 
flag-marking
     cases), `TestGravitinoInterceptionService` (3 new cases for executor 
denial,
     `ForbiddenException`, and `NoSuchMetalakeException` paths).
   - Coverage tests: `TestOperation`, `TestCompatibilityUtils`, 
`TestSimpleAuditLogV2`,
     `TestAuthorizationDenialFailureEvent`, `TestHttpRequestFailureEvent`.
   - Integration tests: `HttpAuditFilterIT`, `HttpAuditAuthzDenialIT`.
   - Manual end-to-end: all 18 test cases (TC-A1–A4, TC-B1–B5, TC-C1–C8, 
TC-D1–D2)
     verified against the running distribution.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to