Re: [PR] CASSANDRA-20128: Support audit logging for JMX operations [cassandra]

Thu, 19 Dec 2024 06:57:35 -0800 


bbotella commented on code in PR #3728:
URL: https://github.com/apache/cassandra/pull/3728#discussion_r1892384865


##########
src/java/org/apache/cassandra/audit/AuditLogManager.java:
##########
@@ -400,4 +419,104 @@ else if (e instanceof 
PasswordGuardrail.PasswordGuardrailException)
 
         return PasswordObfuscator.obfuscate(e.getMessage());
     }
+
+    private static class JmxFormatter
+    {
+        private static String user(Subject subject)
+        {
+            return String.format("%s", subject == null ? null : 
subject.getPrincipals().stream().map(Objects::toString).collect(Collectors.joining(",
 ")));

Review Comment:
   I understand this is not a hot path, but following the decision on 
[this](https://lists.apache.org/thread/65glsjzkmpktzmns6j9wvr4nczvskx36) 
thread, we may want to stay away from streams in non test code?



##########
src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java:
##########
@@ -140,43 +142,57 @@ public class AuthorizationProxy implements 
InvocationHandler
      */
     protected BooleanSupplier isAuthSetupComplete = () -> 
StorageService.instance.isAuthSetupComplete();
 
+    protected JmxInvocationListener listener = AuditLogManager.instance;
+
     @Override
     public Object invoke(Object proxy, Method method, Object[] args)
             throws Throwable
     {
         String methodName = method.getName();
 
-        if ("getMBeanServer".equals(methodName))
-            throw new SecurityException("Access denied");
-
-        // Corresponds to MBeanServer.invoke
-        if (methodName.equals("invoke") && args.length == 4)
-            checkVulnerableMethods(args);
-
         // Retrieve Subject from current AccessControlContext
         AccessControlContext acc = AccessController.getContext();
         Subject subject = Subject.getSubject(acc);
 
-        // Allow setMBeanServer iff performed on behalf of the connector 
server itself
-        if (("setMBeanServer").equals(methodName))
+        try
         {
-            if (subject != null)
+            if ("getMBeanServer".equals(methodName))
                 throw new SecurityException("Access denied");
 
-            if (args[0] == null)
-                throw new IllegalArgumentException("Null MBeanServer");
+            // Corresponds to MBeanServer.invoke
+            if (methodName.equals("invoke") && args.length == 4)

Review Comment:
   Nit: `"invoke".equals(methodName)` for consistency with others?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to