ijuma commented on code in PR #13090:
URL: https://github.com/apache/kafka/pull/13090#discussion_r1066631471
##########
metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java:
##########
@@ -329,7 +329,7 @@ private void logAuditMessage(
// authorized operations or a filter (e.g for regex
subscriptions) to filter out authorized resources.
// In this case, log only at trace level.
if (action.logIfDenied()) {
- auditLog.info(buildAuditMessage(principal, requestContext,
action, rule));
+ auditLog.warn(buildAuditMessage(principal, requestContext,
action, rule));
Review Comment:
The `AclAuthorizer` (as shown below) has the same implementation. This is
long-standing behavior and there would have to be a strong reason to change it
at this point.
> if (authorized) {
> // logIfAllowed is true if access is granted to the resource as a
result of this authorization.
> // In this case, log at debug level. If false, no access is actually
granted, the result is used
> // only to determine authorized operations. So log only at trace
level.
> if (action.logIfAllowed)
> authorizerLogger.debug(logMessage)
> else
> authorizerLogger.trace(logMessage)
> } else {
> // logIfDenied is true if access to the resource was explicitly
requested. Since this is an attempt
> // to access unauthorized resources, log at info level. If false,
this is either a request to determine
> // authorized operations or a filter (e.g for regex subscriptions)
to filter out authorized resources.
> // In this case, log only at trace level.
> if (action.logIfDenied)
> authorizerLogger.info(logMessage)
> else
> authorizerLogger.trace(logMessage)
> }
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
