lujie created KAFKA-19105: ----------------------------- Summary: Add Audit Logging for Authentication Events with Performance Consideration Key: KAFKA-19105 URL: https://issues.apache.org/jira/browse/KAFKA-19105 Project: Kafka Issue Type: Improvement Components: security Reporter: lujie
*Motivation:* Currently, Kafka lacks proper audit logging for authentication events. While authorization events are well logged, authentication attempts (both successful and failed) don't have dedicated audit logs. This makes it difficult to track authentication activities and troubleshoot security issues in production environments. *Problem:* 1. No dedicated audit logging for authentication attempts 2. Security teams cannot effectively monitor authentication activities 3. Troubleshooting authentication issues requires enabling debug logs for the entire security component 4. Compliance requirements for authentication audit trails are not met *Proposed Changes:* Add dedicated audit logging with performance consideration: {code:java} public class SaslServerAuthenticator implements Authenticator { private static final Logger LOG = LoggerFactory.getLogger(SaslServerAuthenticator.class); private static final Logger AUDIT_LOG = LoggerFactory.getLogger("kafka.security.audit"); private void handleSaslToken(byte[] clientToken) throws IOException { try { byte[] response = saslServer.evaluateResponse(clientToken); if (saslServer.isComplete()) { // Use TRACE level for successful authentication if (AUDIT_LOG.isTraceEnabled()) { AUDIT_LOG.trace("Authentication successful - Connection: {}, " + "Client: {}, Principal: {}, Mechanism: {}", connectionId, transportLayer.socketChannel().getRemoteAddress(), saslServer.getAuthorizationID(), mechanism); } } } catch (SaslException e) { // Use DEBUG level for failed authentication if (AUDIT_LOG.isDebugEnabled()) { AUDIT_LOG.debug("Authentication failed - Connection: {}, " + "Client: {}, Mechanism: {}, Error: {}", connectionId, transportLayer.socketChannel().getRemoteAddress(), mechanism, e.getMessage()); } throw new SaslAuthenticationException("SASL Authentication failed", e); } } } {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)