This is an automated email from the ASF dual-hosted git repository. yongzao pushed a commit to branch append-audit-it in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit e1f3af4598c7e62515427158691c56212f396691 Author: Yongzao <[email protected]> AuthorDate: Thu Sep 25 14:20:55 2025 +0800 synchronize audit conf & rm old version --- .../iotdb/confignode/manager/node/NodeManager.java | 15 +- .../org/apache/iotdb/db/audit/AuditLogStorage.java | 30 --- .../org/apache/iotdb/db/audit/AuditLogger.java | 278 --------------------- .../java/org/apache/iotdb/db/conf/IoTDBConfig.java | 48 ---- .../iotdb/db/protocol/session/SessionManager.java | 36 +-- .../protocol/thrift/impl/ClientRPCServiceImpl.java | 121 --------- .../java/org/apache/iotdb/db/service/DataNode.java | 5 +- .../apache/iotdb/commons/conf/CommonConfig.java | 13 + .../iotdb/commons/conf/CommonDescriptor.java | 10 + .../src/main/thrift/confignode.thrift | 8 + 10 files changed, 50 insertions(+), 514 deletions(-) diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java index ab247fcad12..4b650de9374 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java @@ -80,6 +80,7 @@ import org.apache.iotdb.confignode.rpc.thrift.TAINodeInfo; import org.apache.iotdb.confignode.rpc.thrift.TAINodeRegisterReq; import org.apache.iotdb.confignode.rpc.thrift.TAINodeRestartReq; import org.apache.iotdb.confignode.rpc.thrift.TAINodeRestartResp; +import org.apache.iotdb.confignode.rpc.thrift.TAuditConfig; import org.apache.iotdb.confignode.rpc.thrift.TCQConfig; import org.apache.iotdb.confignode.rpc.thrift.TConfigNodeInfo; import org.apache.iotdb.confignode.rpc.thrift.TConfigNodeInfo4InformationSchema; @@ -126,7 +127,7 @@ public class NodeManager { private static final Logger LOGGER = LoggerFactory.getLogger(NodeManager.class); private static final ConfigNodeConfig CONF = ConfigNodeDescriptor.getInstance().getConf(); - public static final long HEARTBEAT_INTERVAL = CONF.getHeartbeatIntervalInMs(); + private static final CommonConfig COMMON_CONFIG = CommonDescriptor.getInstance().getConfig(); private final IManager configManager; protected final NodeInfo nodeInfo; @@ -251,6 +252,17 @@ public class NodeManager { dataSet.setCqConfig(cqConfig); } + private TAuditConfig getAuditConfig() { + TAuditConfig auditConfig = new TAuditConfig(); + auditConfig.setEnableAuditLog(COMMON_CONFIG.isEnableAuditLog()); + if (COMMON_CONFIG.isEnableAuditLog()) { + auditConfig.setAuditableOperationType(COMMON_CONFIG.getAuditableOperationTypeInStr()); + auditConfig.setAuditableOperationLevel(COMMON_CONFIG.getAuditableOperationLevelInStr()); + auditConfig.setAuditableOperationResult(COMMON_CONFIG.getAuditableOperationResult()); + } + return auditConfig; + } + private TRuntimeConfiguration getRuntimeConfiguration() { getPipeManager().getPipePluginCoordinator().lock(); try { @@ -274,6 +286,7 @@ public class NodeManager { runtimeConfiguration.setTableInfo( getClusterSchemaManager().getAllTableInfoForDataNodeActivation()); runtimeConfiguration.setClusterId(getClusterManager().getClusterId()); + runtimeConfiguration.setAuditConfig(getAuditConfig()); return runtimeConfiguration; } finally { getUDFManager().getUdfInfo().releaseUDFTableLock(); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogStorage.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogStorage.java deleted file mode 100644 index 922839bb8ed..00000000000 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogStorage.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.iotdb.db.audit; - -public enum AuditLogStorage { - IOTDB, - LOGGER; - - @Override - public String toString() { - return name(); - } -} diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogger.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogger.java deleted file mode 100644 index 9d4eb188bfa..00000000000 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/AuditLogger.java +++ /dev/null @@ -1,278 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.iotdb.db.audit; - -import org.apache.iotdb.commons.audit.AuditLogOperation; -import org.apache.iotdb.commons.audit.UserEntity; -import org.apache.iotdb.commons.conf.IoTDBConstant; -import org.apache.iotdb.commons.exception.IllegalPathException; -import org.apache.iotdb.commons.utils.CommonDateTimeUtils; -import org.apache.iotdb.db.auth.AuthorityChecker; -import org.apache.iotdb.db.conf.IoTDBConfig; -import org.apache.iotdb.db.conf.IoTDBDescriptor; -import org.apache.iotdb.db.exception.query.QueryProcessException; -import org.apache.iotdb.db.protocol.session.ClientSession; -import org.apache.iotdb.db.protocol.session.IClientSession; -import org.apache.iotdb.db.protocol.session.SessionManager; -import org.apache.iotdb.db.queryengine.common.SessionInfo; -import org.apache.iotdb.db.queryengine.plan.Coordinator; -import org.apache.iotdb.db.queryengine.plan.analyze.ClusterPartitionFetcher; -import org.apache.iotdb.db.queryengine.plan.analyze.cache.schema.DataNodeDevicePathCache; -import org.apache.iotdb.db.queryengine.plan.statement.Statement; -import org.apache.iotdb.db.queryengine.plan.statement.StatementType; -import org.apache.iotdb.db.queryengine.plan.statement.crud.InsertRowStatement; -import org.apache.iotdb.rpc.IoTDBConnectionException; - -import org.apache.tsfile.common.conf.TSFileConfig; -import org.apache.tsfile.enums.TSDataType; -import org.apache.tsfile.utils.Binary; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.validation.constraints.NotNull; - -import java.time.ZoneId; -import java.util.List; - -import static org.apache.iotdb.db.pipe.receiver.protocol.legacy.loader.ILoader.SCHEMA_FETCHER; - -public class AuditLogger { - private static final Logger logger = LoggerFactory.getLogger(AuditLogger.class); - private static final Logger AUDIT_LOGGER = - LoggerFactory.getLogger(IoTDBConstant.AUDIT_LOGGER_NAME); - - private static final String LOG = "log"; - private static final String USERNAME = "username"; - private static final String ADDRESS = "address"; - private static final String AUDIT_LOG_DEVICE = "root.__system.audit._%s"; - private static final Coordinator COORDINATOR = Coordinator.getInstance(); - private static final IoTDBConfig config = IoTDBDescriptor.getInstance().getConfig(); - private static final List<AuditLogStorage> auditLogStorageList = config.getAuditLogStorage(); - private static final SessionInfo sessionInfo = - new SessionInfo( - 0, - new UserEntity( - AuthorityChecker.SUPER_USER_ID, - AuthorityChecker.SUPER_USER, - IoTDBDescriptor.getInstance().getConfig().getInternalAddress()), - ZoneId.systemDefault()); - - private static final List<AuditLogOperation> auditLogOperationList = - config.getAuditableOperationType(); - - private static final SessionManager SESSION_MANAGER = SessionManager.getInstance(); - - private static final DataNodeDevicePathCache DEVICE_PATH_CACHE = - DataNodeDevicePathCache.getInstance(); - - private AuditLogger() { - // Empty constructor - } - - @NotNull - private static InsertRowStatement generateInsertStatement( - String log, String address, String username) - throws IoTDBConnectionException, IllegalPathException, QueryProcessException { - InsertRowStatement insertStatement = new InsertRowStatement(); - insertStatement.setDevicePath( - DEVICE_PATH_CACHE.getPartialPath(String.format(AUDIT_LOG_DEVICE, username))); - insertStatement.setTime(CommonDateTimeUtils.currentTime()); - insertStatement.setMeasurements(new String[] {LOG, USERNAME, ADDRESS}); - insertStatement.setAligned(false); - insertStatement.setValues( - new Object[] { - new Binary(log == null ? "null" : log, TSFileConfig.STRING_CHARSET), - new Binary(username == null ? "null" : username, TSFileConfig.STRING_CHARSET), - new Binary(address == null ? "null" : address, TSFileConfig.STRING_CHARSET) - }); - insertStatement.setDataTypes( - new TSDataType[] {TSDataType.TEXT, TSDataType.TEXT, TSDataType.TEXT}); - return insertStatement; - } - - public static void log(String log, Statement statement) { - AuditLogOperation operation = judgeLogOperation(statement.getType()); - IClientSession currSession = SessionManager.getInstance().getCurrSession(); - String username = ""; - String address = ""; - if (currSession != null) { - ClientSession clientSession = (ClientSession) currSession; - String clientAddress = clientSession.getClientAddress(); - int clientPort = ((ClientSession) currSession).getClientPort(); - address = String.format("%s:%s", clientAddress, clientPort); - username = currSession.getUsername(); - } - - if (auditLogOperationList.contains(operation)) { - if (auditLogStorageList.contains(AuditLogStorage.IOTDB)) { - try { - COORDINATOR.executeForTreeModel( - generateInsertStatement(log, address, username), - SESSION_MANAGER.requestQueryId(), - sessionInfo, - "", - ClusterPartitionFetcher.getInstance(), - SCHEMA_FETCHER); - } catch (IllegalPathException | IoTDBConnectionException | QueryProcessException e) { - logger.error("write audit log series error,", e); - } - } - if (auditLogStorageList.contains(AuditLogStorage.LOGGER)) { - AUDIT_LOGGER.info("user:{},address:{},log:{}", username, address, log); - } - } - } - - public static void log(String log, Statement statement, boolean isNativeApi) { - if (isNativeApi) { - if (config.isEnableAuditLogForNativeInsertApi()) { - log(log, statement); - } - } else { - log(log, statement); - } - } - - private static AuditLogOperation judgeLogOperation(StatementType type) { - switch (type) { - case AUTHOR: - case CREATE_USER: - case DELETE_USER: - case MODIFY_PASSWORD: - case GRANT_USER_PRIVILEGE: - case REVOKE_USER_PRIVILEGE: - case GRANT_USER_ROLE: - case REVOKE_USER_ROLE: - case CREATE_ROLE: - case DELETE_ROLE: - case GRANT_ROLE_PRIVILEGE: - case REVOKE_ROLE_PRIVILEGE: - case GRANT_WATERMARK_EMBEDDING: - case REVOKE_WATERMARK_EMBEDDING: - case STORAGE_GROUP_SCHEMA: - case DELETE_STORAGE_GROUP: - case CREATE_TIME_SERIES: - case CREATE_ALIGNED_TIME_SERIES: - case CREATE_MULTI_TIME_SERIES: - case DELETE_TIME_SERIES: - case ALTER_TIME_SERIES: - case CHANGE_ALIAS: - case CHANGE_TAG_OFFSET: - case CREATE_FUNCTION: - case DROP_FUNCTION: - case CREATE_INDEX: - case DROP_INDEX: - case QUERY_INDEX: - case CREATE_TRIGGER: - case DROP_TRIGGER: - case CREATE_TEMPLATE: - case SET_TEMPLATE: - case MERGE: - case FULL_MERGE: - case MNODE: - case MEASUREMENT_MNODE: - case STORAGE_GROUP_MNODE: - case AUTO_CREATE_DEVICE_MNODE: - case TTL: - case FLUSH: - case CLEAR_CACHE: - case DELETE_PARTITION: - case LOAD_CONFIGURATION: - case CREATE_SCHEMA_SNAPSHOT: - case CREATE_CONTINUOUS_QUERY: - case DROP_CONTINUOUS_QUERY: - case SET_SYSTEM_MODE: - case UNSET_TEMPLATE: - case PRUNE_TEMPLATE: - case APPEND_TEMPLATE: - case DROP_TEMPLATE: - case CREATE_PIPESINK: - case DROP_PIPESINK: - case CREATE_PIPE: - case START_PIPE: - case STOP_PIPE: - case DROP_PIPE: - case DEACTIVATE_TEMPLATE: - case CREATE_PIPEPLUGIN: - case DROP_PIPEPLUGIN: - case CREATE_LOGICAL_VIEW: - case ALTER_LOGICAL_VIEW: - case DELETE_LOGICAL_VIEW: - case RENAME_LOGICAL_VIEW: - case CREATE_TOPIC: - case DROP_TOPIC: - case DROP_SUBSCRIPTION: - return AuditLogOperation.DDL; - case LOAD_DATA: - case INSERT: - case BATCH_INSERT: - case BATCH_INSERT_ROWS: - case BATCH_INSERT_ONE_DEVICE: - case MULTI_BATCH_INSERT: - case PIPE_ENRICHED: - case DELETE: - case SELECT_INTO: - case LOAD_FILES: - case REMOVE_FILE: - case UNLOAD_FILE: - case ACTIVATE_TEMPLATE: - case SETTLE: - case INTERNAL_CREATE_TIMESERIES: - case START_REPAIR_DATA: - case STOP_REPAIR_DATA: - case SET_CONFIGURATION: - return AuditLogOperation.DML; - case LIST_USER: - case LIST_ROLE: - case LIST_USER_PRIVILEGE: - case LIST_ROLE_PRIVILEGE: - case LIST_USER_ROLES: - case LIST_ROLE_USERS: - case QUERY: - case LAST: - case GROUP_BY_TIME: - case GROUP_BY_FILL: - case AGGREGATION: - case FILL: - case UDAF: - case UDTF: - case SHOW: - case SHOW_PIPES: - case SHOW_TOPICS: - case SHOW_SUBSCRIPTIONS: - case SHOW_MERGE_STATUS: - case KILL: - case TRACING: - case SHOW_CONTINUOUS_QUERIES: - case SHOW_SCHEMA_TEMPLATE: - case SHOW_NODES_IN_SCHEMA_TEMPLATE: - case SHOW_PATH_SET_SCHEMA_TEMPLATE: - case SHOW_PATH_USING_SCHEMA_TEMPLATE: - case SHOW_QUERY_RESOURCE: - case FETCH_SCHEMA: - case COUNT: - case SHOW_TRIGGERS: - case SHOW_PIPEPLUGINS: - return AuditLogOperation.QUERY; - default: - return AuditLogOperation.CONTROL; - } - } -} diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java index 4f32529451d..e12f3364600 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java @@ -21,14 +21,12 @@ package org.apache.iotdb.db.conf; import org.apache.iotdb.common.rpc.thrift.TDataNodeLocation; import org.apache.iotdb.common.rpc.thrift.TEndPoint; -import org.apache.iotdb.commons.audit.AuditLogOperation; import org.apache.iotdb.commons.client.property.ClientPoolProperty.DefaultProperty; import org.apache.iotdb.commons.conf.CommonDescriptor; import org.apache.iotdb.commons.conf.IoTDBConstant; import org.apache.iotdb.commons.enums.ReadConsistencyLevel; import org.apache.iotdb.commons.utils.FileUtils; import org.apache.iotdb.consensus.ConsensusFactory; -import org.apache.iotdb.db.audit.AuditLogStorage; import org.apache.iotdb.db.exception.LoadConfigurationException; import org.apache.iotdb.db.protocol.thrift.impl.ClientRPCServiceImpl; import org.apache.iotdb.db.queryengine.plan.relational.metadata.fetcher.cache.LastCacheLoadStrategy; @@ -1044,24 +1042,6 @@ public class IoTDBConfig { private int ratisTransferLeaderTimeoutMs = 30 * 1000; // 30s - /** whether to enable the audit log * */ - private boolean enableAuditLog = false; - - /** Output location of audit logs * */ - private List<AuditLogStorage> auditLogStorage = - Arrays.asList(AuditLogStorage.IOTDB, AuditLogStorage.LOGGER); - - /** Indicates the category collection of audit logs * */ - private List<AuditLogOperation> auditableOperationType = - Arrays.asList( - AuditLogOperation.DML, - AuditLogOperation.DDL, - AuditLogOperation.QUERY, - AuditLogOperation.CONTROL); - - /** whether the local write api records audit logs * */ - private boolean enableAuditLogForNativeInsertApi = true; - // customizedProperties, this should be empty by default. private Properties customizedProperties = new Properties(); @@ -3756,34 +3736,6 @@ public class IoTDBConfig { this.candidateCompactionTaskQueueSize = candidateCompactionTaskQueueSize; } - public boolean isEnableAuditLog() { - return enableAuditLog; - } - - public void setEnableAuditLog(boolean enableAuditLog) { - this.enableAuditLog = enableAuditLog; - } - - public List<AuditLogOperation> getAuditableOperationType() { - return auditableOperationType; - } - - public List<AuditLogStorage> getAuditLogStorage() { - return auditLogStorage; - } - - public void setAuditLogStorage(List<AuditLogStorage> auditLogStorage) { - this.auditLogStorage = auditLogStorage; - } - - public boolean isEnableAuditLogForNativeInsertApi() { - return enableAuditLogForNativeInsertApi; - } - - public void setEnableAuditLogForNativeInsertApi(boolean enableAuditLogForNativeInsertApi) { - this.enableAuditLogForNativeInsertApi = enableAuditLogForNativeInsertApi; - } - public void setModeMapSizeThreshold(int modeMapSizeThreshold) { this.modeMapSizeThreshold = modeMapSizeThreshold; } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java index f222e264fbb..a58ed09bb26 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java @@ -33,7 +33,6 @@ import org.apache.iotdb.commons.service.metric.enums.Metric; import org.apache.iotdb.commons.service.metric.enums.Tag; import org.apache.iotdb.commons.utils.AuthUtils; import org.apache.iotdb.commons.utils.CommonDateTimeUtils; -import org.apache.iotdb.db.audit.AuditLogger; import org.apache.iotdb.db.auth.AuthorityChecker; import org.apache.iotdb.db.auth.BasicAuthorityCache; import org.apache.iotdb.db.auth.ClusterAuthorityFetcher; @@ -49,8 +48,6 @@ import org.apache.iotdb.db.queryengine.plan.execution.ExecutionResult; import org.apache.iotdb.db.queryengine.plan.execution.IQueryExecution; import org.apache.iotdb.db.queryengine.plan.parser.StatementGenerator; import org.apache.iotdb.db.queryengine.plan.statement.Statement; -import org.apache.iotdb.db.queryengine.plan.statement.StatementType; -import org.apache.iotdb.db.queryengine.plan.statement.sys.AuthorStatement; import org.apache.iotdb.db.storageengine.dataregion.read.control.QueryResourceManager; import org.apache.iotdb.db.utils.DataNodeAuthUtils; import org.apache.iotdb.metrics.utils.MetricLevel; @@ -104,17 +101,12 @@ public class SessionManager implements SessionManagerMBean { // The statementId is unique in one IoTDB instance. private final AtomicLong statementIdGenerator = new AtomicLong(); - private static final AuthorStatement AUTHOR_STATEMENT = new AuthorStatement(StatementType.AUTHOR); - public static final TSProtocolVersion CURRENT_RPC_VERSION = TSProtocolVersion.IOTDB_SERVICE_PROTOCOL_V3; private static final MemoizedSupplier<IAuthorityFetcher> authorityFetcher = MemoizedSupplier.valueOf(() -> new ClusterAuthorityFetcher(new BasicAuthorityCache())); - private static final boolean ENABLE_AUDIT_LOG = - IoTDBDescriptor.getInstance().getConfig().isEnableAuditLog(); - protected SessionManager() { // singleton String mbeanName = @@ -315,20 +307,8 @@ public class SessionManager implements SessionManagerMBean { openSessionResp.getMessage(), username, session); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "%s: Login status: %s. User : %s, opens Session-%s", - IoTDBConstant.GLOBAL_DB_NAME, openSessionResp.getMessage(), username, session), - AUTHOR_STATEMENT); - } } } else { - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format("User %s opens Session failed with an incorrect password", username), - AUTHOR_STATEMENT); - } openSessionResp.sessionId(-1).setMessage(loginStatus.message).setCode(loginStatus.code); } @@ -345,21 +325,7 @@ public class SessionManager implements SessionManagerMBean { String.valueOf(session.getId())); // TODO we only need to do so when query is killed by time out close the socket. IClientSession session1 = currSession.get(); - if (session1 != null && session != session1) { - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "The client-%s is trying to close another session %s, pls check if it's a bug", - session, session1), - AUTHOR_STATEMENT); - } - return false; - } else { - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("Session-%s is closing", session), AUTHOR_STATEMENT); - } - return true; - } + return session1 == null || session == session1; } private void releaseSessionResource(IClientSession session, LongConsumer releaseQueryResource) { diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java index 5308838e251..fb7a0813002 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java @@ -44,7 +44,6 @@ import org.apache.iotdb.commons.path.PartialPath; import org.apache.iotdb.commons.schema.column.ColumnHeader; import org.apache.iotdb.commons.utils.PathUtils; import org.apache.iotdb.commons.utils.TimePartitionUtils; -import org.apache.iotdb.db.audit.AuditLogger; import org.apache.iotdb.db.auth.AuthorityChecker; import org.apache.iotdb.db.conf.IoTDBConfig; import org.apache.iotdb.db.conf.IoTDBDescriptor; @@ -251,8 +250,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { private static final TSProtocolVersion CURRENT_RPC_VERSION = TSProtocolVersion.IOTDB_SERVICE_PROTOCOL_V3; - private static final boolean ENABLE_AUDIT_LOG = config.isEnableAuditLog(); - private final IPartitionFetcher partitionFetcher; private final ISchemaFetcher schemaFetcher; @@ -358,9 +355,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), s); statementType = s.getType(); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(statement, s); - } queryId = SESSION_MANAGER.requestQueryId(clientSession, req.statementId); @@ -536,9 +530,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), s); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("execute Raw Data Query: %s", req), s); - } queryId = SESSION_MANAGER.requestQueryId(clientSession, req.statementId); // create and cache dataset ExecutionResult result = @@ -628,9 +619,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), s); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("Last Data Query: %s", req), s); - } queryId = SESSION_MANAGER.requestQueryId(clientSession, req.statementId); // create and cache dataset ExecutionResult result = @@ -1166,9 +1154,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), s); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("Last Data Query: %s", req), s); - } // create and cache dataset ExecutionResult result = COORDINATOR.executeForTreeModel( @@ -1554,9 +1539,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: Create SetStorageGroupStatement DatabaseSchemaStatement statement = StatementGenerator.createStatement(storageGroup); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("create database %s", storageGroup), statement); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -1595,9 +1577,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { req.setMeasurementAlias(PathUtils.checkAndReturnSingleMeasurement(req.getMeasurementAlias())); // Step 1: transfer from TSCreateTimeseriesReq to Statement CreateTimeSeriesStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("create timeseries %s", req.getPath()), statement); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -1642,12 +1621,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from CreateAlignedTimeSeriesReq to Statement CreateAlignedTimeSeriesStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "create aligned timeseries %s.%s", req.getPrefixPath(), req.getMeasurements()), - statement); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -1692,13 +1665,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from CreateMultiTimeSeriesReq to Statement CreateMultiTimeSeriesStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "create %s timeseries, the first is %s", - req.getPaths().size(), req.getPaths().get(0)), - statement); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -1778,10 +1744,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from DeleteStorageGroupsReq to Statement DeleteDatabaseStatement statement = StatementGenerator.createStatement(storageGroups); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("delete databases: %s", storageGroups), statement); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -1872,10 +1834,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), s); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(statement, s); - } - queryId = SESSION_MANAGER.requestQueryId(); type = s.getType() == null ? null : s.getType().name(); // create and cache dataset @@ -2056,15 +2014,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS); } - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertRecords, first device %s, first time %s", - req.prefixPaths.get(0), req.getTimestamps().get(0)), - statement, - true); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2125,15 +2074,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS); } - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertRecords, first device %s, first time %s", - req.prefixPath, req.getTimestamps().get(0)), - statement, - true); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2196,14 +2136,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS); } - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertRecords, first device %s, first time %s", - req.prefixPath, req.getTimestamps().get(0)), - statement, - true); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2268,14 +2200,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS); } - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertRecord, device %s, time %s", req.getPrefixPath(), req.getTimestamp()), - statement, - true); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2479,15 +2403,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS); } - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertRecords, first device %s, first time %s", - req.prefixPaths.get(0), req.getTimestamps().get(0)), - statement, - true); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2638,9 +2553,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from TSCreateSchemaTemplateReq to Statement CreateSchemaTemplateStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("create device template %s", req.getName()), statement); - } // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2815,9 +2727,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { DataNodeThrottleQuotaManager.getInstance() .checkQuota(SESSION_MANAGER.getCurrSession().getUsername(), statement); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("execute Query: %s", statement), statement); - } long queryId = SESSION_MANAGER.requestQueryId(); // create and cache dataset ExecutionResult executionResult = @@ -2886,12 +2795,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from TSCreateSchemaTemplateReq to Statement SetSchemaTemplateStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format("set device template %s.%s", req.getTemplateName(), req.getPrefixPath()), - statement); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2933,13 +2836,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from TSCreateSchemaTemplateReq to Statement UnsetSchemaTemplateStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "unset device template %s from %s", req.getTemplateName(), req.getPrefixPath()), - statement); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -2981,10 +2877,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { // Step 1: transfer from TSCreateSchemaTemplateReq to Statement DropSchemaTemplateStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log(String.format("drop device template %s", req.getTemplateName()), statement); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -3024,11 +2916,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { BatchActivateTemplateStatement statement = StatementGenerator.createBatchActivateTemplateStatement(req.getDevicePathList()); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format("batch activate device template %s", req.getDevicePathList()), statement); - } - // permission check TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { @@ -3119,14 +3006,6 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { final InsertRowStatement statement = StatementGenerator.createStatement(req); - if (ENABLE_AUDIT_LOG) { - AuditLogger.log( - String.format( - "insertStringRecord, device %s, time %s", req.getPrefixPath(), req.getTimestamp()), - statement, - true); - } - // Permission check final TSStatus status = AuthorityChecker.checkAuthority(statement, clientSession); if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) { diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java index 3ad839c2836..1964b19bb1e 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNode.java @@ -481,8 +481,11 @@ public class DataNode extends ServerCommandLine implements DataNodeMBean { String clusterId = runtimeConfiguration.getClusterId(); storeClusterID(clusterId); - /* Store table info*/ + /* Store table info */ DataNodeTableCache.getInstance().init(runtimeConfiguration.getTableInfo()); + + /* Store audit log configuration */ + CommonDescriptor.getInstance().loadAuditConfig(runtimeConfiguration.auditConfig); } /** diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index d51893ea676..a960584c66c 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -2649,6 +2649,15 @@ public class CommonConfig { this.enableAuditLog = enableAuditLog; } + public String getAuditableOperationTypeInStr() { + StringBuilder result = new StringBuilder(); + for (AuditLogOperation operation : auditableOperationType) { + result.append(operation.name()).append(","); + } + result.deleteCharAt(result.length() - 1); + return result.toString(); + } + public List<AuditLogOperation> getAuditableOperationType() { return auditableOperationType; } @@ -2672,6 +2681,10 @@ public class CommonConfig { this.auditableOperationType = auditableOperationType; } + public String getAuditableOperationLevelInStr() { + return auditableOperationLevel.name(); + } + public PrivilegeLevel getAuditableOperationLevel() { return auditableOperationLevel; } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java index 93129b62745..0957317aa59 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java @@ -22,6 +22,7 @@ package org.apache.iotdb.commons.conf; import org.apache.iotdb.commons.enums.HandleSystemErrorStrategy; import org.apache.iotdb.commons.pipe.config.PipeDescriptor; import org.apache.iotdb.commons.utils.CommonDateTimeUtils; +import org.apache.iotdb.confignode.rpc.thrift.TAuditConfig; import org.apache.iotdb.confignode.rpc.thrift.TGlobalConfig; import org.slf4j.Logger; @@ -474,6 +475,15 @@ public class CommonDescriptor { config.setDiskSpaceWarningThreshold(globalConfig.getDiskSpaceWarningThreshold()); } + public void loadAuditConfig(TAuditConfig auditConfig) { + config.setEnableAuditLog(auditConfig.isEnableAuditLog()); + if (auditConfig.isEnableAuditLog()) { + config.setAuditableOperationType(auditConfig.getAuditableOperationType()); + config.setAuditableOperationLevel(auditConfig.getAuditableOperationLevel()); + config.setAuditableOperationResult(auditConfig.getAuditableOperationResult()); + } + } + public void initThriftSSL(TrimProperties properties) { config.setEnableThriftClientSSL( Boolean.parseBoolean( diff --git a/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift b/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift index 98ca620d871..ef15f67ffda 100644 --- a/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift +++ b/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift @@ -29,6 +29,13 @@ struct TSystemConfigurationResp { 4: optional TCQConfig cqConfig } +struct TAuditConfig { + 1: required bool enableAuditLog + 2: optional string auditableOperationType + 3: optional string auditableOperationLevel + 4: optional string auditableOperationResult +} + struct TGlobalConfig { 1: required string dataRegionConsensusProtocolClass 2: required string schemaRegionConsensusProtocolClass @@ -109,6 +116,7 @@ struct TRuntimeConfiguration { 5: required list<binary> allPipeInformation 6: optional string clusterId 7: optional binary tableInfo + 8: required TAuditConfig auditConfig } struct TDataNodeRegisterReq {
