[jira] [Created] (KAFKA-19105) Add Audit Logging for Authentication Events with Performance Consideration

Tue, 08 Apr 2025 00:32:11 -0700 

lujie created KAFKA-19105:
-----------------------------

             Summary: Add Audit Logging for Authentication Events with 
Performance Consideration
                 Key: KAFKA-19105
                 URL: https://issues.apache.org/jira/browse/KAFKA-19105
             Project: Kafka
          Issue Type: Improvement
          Components: security
            Reporter: lujie


*Motivation:*
Currently, Kafka lacks proper audit logging for authentication events. While 
authorization events are well logged, authentication attempts (both successful 
and failed) don't have dedicated audit logs. This makes it difficult to track 
authentication activities and troubleshoot security issues in production 
environments.
 
*Problem:*
1. No dedicated audit logging for authentication attempts
2. Security teams cannot effectively monitor authentication activities
3. Troubleshooting authentication issues requires enabling debug logs for the 
entire security component
4. Compliance requirements for authentication audit trails are not met
 
*Proposed Changes:* 
Add dedicated audit logging with performance consideration:
{code:java}
 

public class SaslServerAuthenticator implements Authenticator {
    private static final Logger LOG = 
LoggerFactory.getLogger(SaslServerAuthenticator.class);
    private static final Logger AUDIT_LOG = 
LoggerFactory.getLogger("kafka.security.audit");
 
    private void handleSaslToken(byte[] clientToken) throws IOException {
        try {
            byte[] response = saslServer.evaluateResponse(clientToken);
            if (saslServer.isComplete()) {
                // Use TRACE level for successful authentication
                if (AUDIT_LOG.isTraceEnabled()) {
                    AUDIT_LOG.trace("Authentication successful - Connection: 
{}, " +
                        "Client: {}, Principal: {}, Mechanism: {}",
                        connectionId,
                        transportLayer.socketChannel().getRemoteAddress(),
                        saslServer.getAuthorizationID(),
                        mechanism);
                }
            }
        } catch (SaslException e) {
            // Use DEBUG level for failed authentication
            if (AUDIT_LOG.isDebugEnabled()) {
                AUDIT_LOG.debug("Authentication failed - Connection: {}, " +
                    "Client: {}, Mechanism: {}, Error: {}",
                    connectionId,
                    transportLayer.socketChannel().getRemoteAddress(),
                    mechanism,
                    e.getMessage());
            }
            throw new SaslAuthenticationException("SASL Authentication failed", 
e);
        }
    }
} {code}
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to