Re: Review Request 44265: Basic Operational Audit Logging

[Daniel Gergely]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44265/
-----------------------------------------------------------

(Updated márc. 24, 2016, 12:20 du)


Review request for Ambari, Laszlo Puskas, Oliver Szabo, Robert Levas, Sandor 
Magyari, and Sebastian Toader.


Changes
-------

A new branch is created: audit_logging that has all the changes.
Since the previous patch the following fixes are added:
- instead of getting all the stages from DB, tasks are cached for a request and 
the status is calculated based on that.
- AsyncEventBus is used instead of a custom implementation
- Ambari properties now have a switch to disable audit logging: auditlog.enabled


Bugs: AMBARI-15241
    https://issues.apache.org/jira/browse/AMBARI-15241


Repository: ambari


Description
-------

Entry points for logging events:
- Login and logout: AmbariAuthenticationFilter, AmbariAuthorizationFilter, 
LogoutService
- Operation and tasks: ActionDBAAccessorImpl
- Kerberos related events: CreateKeytabFilesServerAction, 
CreatePrincipalServerAction, DestroyPrincipalsServerAction, 
FinalizeKerberosServerAction
- REST api: BaseService

Architecture:
AuditLogger injectable is created and wired in by Guice. The default 
implementation (AuditLoggerDefaultImpl) for this interface logs to a file. 
Considering performance impact, there is a buffered audit logger implementation 
(BufferedAuditLogger) that is a wrapper for an audit logger implementation and 
does the logging asynchronously.

Audit loggers have a single log method that accepts an AuditEvent object. At 
the entry points an AuditEvent is assembled and log method is called (except 
for the REST api, see below...)

REST Api:
In BaseService, there is a RequestAuditLogger, that is responsible for handling 
and assembling AuditEvents. It also has a log method, but the parameters for 
that is the Request and Result objects.
RequestAuditLogger is a small framework for that plugins can be implemented to 
handle different type of requests.
Plugins implements RequestAuditEventCreator interface and can be set to handle 
one or multiple request types (PUT, POST, DELETE, etc...), resource types 
(HOST_COMPONENT, BLUEPRINT, etc..) and results statuses (200 OK, 202 ACCEPTED, 
404 NOT_FOUND, etc). If null is returned by these getters, it means "all". If 
there are more than one RequestAuditEventCreators can handle a request, then 
the most specific is called. (Priority order: resourceType > resultStatus > 
requestType)
For example it is possible to define a plugin for all the POST requests, but if 
there is an other plugin for POST request and for resource type HOST_COMPONENT, 
then this latter is used (because it is more specific). The method 
createAuditEvent is responsible for creating the AuditEvent object for the 
RequestAuditEventLogger. If null is returned, then request is not logged (can 
be used for ignoring events).
Plugins are registered in ControllerModule and wired by guice to the 
RequestAuditLogger. If a new plugin is needed, then implementing the 
RequestAuditEventCreator interface and registering it in Guice is the only 
things to do. (open-closed principle)


Diffs (updated)
-----

  ambari-project/pom.xml b3d9ca2 
  ambari-server/conf/unix/log4j.properties 2ee32d4 
  ambari-server/conf/windows/log4j.properties cc40f74 
  ambari-server/pom.xml 1e44517 
  ambari-server/src/main/conf/log4j.properties 8e6652d 
  
ambari-server/src/main/java/org/apache/ambari/server/actionmanager/ActionDBAccessorImpl.java
 429f573 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
 a33e8a7 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseService.java
 7945599 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/LogoutService.java
 df8faaa 
  
ambari-server/src/main/java/org/apache/ambari/server/api/services/Request.java 
ff9b6c7 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/AsyncAuditLogger.java
 PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/audit/AuditLogger.java 
PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/AuditLoggerDefaultImpl.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/AuditLoggerModule.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/AbstractAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/AbstractUserAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/AccessUnauthorizedAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/AuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/LoginAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/LogoutAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/OperationStatusAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/TaskStatusAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/kerberos/AbstractKerberosAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/kerberos/ChangeSecurityStateKerberosAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/kerberos/CreateKeyTabKerberosAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/kerberos/CreatePrincipalKerberosAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/kerberos/DestroyPrincipalKerberosAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ActivateUserRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddAlertGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddAlertTargetRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddBlueprintRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddComponentToHostRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddCredentialRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddHostRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddRepositoryRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddRepositoryVersionRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddRequestRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddUpgradeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddUserToGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AddViewInstanceRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/AdminUserRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/BlueprintExportRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ChangeAlertGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ChangeAlertTargetRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ChangeRepositoryVersionRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ChangeViewInstanceRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClientConfigDownloadRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterNameChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ClusterPrivilegeChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ConfigurationChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/CreateGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/CreateUserRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteAlertGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteAlertTargetRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteBlueprintRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteHostRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteRepositoryVersionRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteServiceRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteUserRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/DeleteViewInstanceRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/MembershipChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/PrivilegeChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/RemoveUserFromGroupRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/StartOperationRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/UpdateRepositoryRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/UpdateUpgradeItemRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/UserPasswordChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/event/request/ViewPrivilegeChangeRequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/RequestAuditEvent.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/RequestAuditEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/RequestAuditLogger.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/RequestAuditLoggerImpl.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/AlertGroupEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/AlertTargetEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/BlueprintEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/BlueprintExportEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ComponentEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ConfigurationChangeEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/CredentialEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/DefaultEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/GroupEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/HostEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/MemberEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/PrivilegeEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/RecommendationIgnoreEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/RepositoryEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/RepositoryVersionEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/RequestEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ServiceConfigDownloadEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ServiceEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/UnauthorizedEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/UpgradeEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/UpgradeItemEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/UserEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ValidationIgnoreEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewInstanceEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/audit/request/eventcreator/ViewPrivilegeEventCreator.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 9404506 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 076f850 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java
 daca64d 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariAuthenticationFilter.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
 4be804d 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
 b136182 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PermissionHelper.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/AbstractServerAction.java
 33191bf 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
 cadfe28 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java
 8009ae1 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/DestroyPrincipalsServerAction.java
 93daae8 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/FinalizeKerberosServerAction.java
 c710b8e 
  ambari-server/src/main/java/org/apache/ambari/server/utils/RequestUtils.java 
PRE-CREATION 
  ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
  
ambari-server/src/test/java/org/apache/ambari/server/actionmanager/TestActionDBAccessorImpl.java
 f88cf8e 
  
ambari-server/src/test/java/org/apache/ambari/server/actionmanager/TestActionManager.java
 d7d08b1 
  
ambari-server/src/test/java/org/apache/ambari/server/agent/HeartbeatProcessorTest.java
 7f3d763 
  
ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseServiceTest.java
 19eeffb 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/AccessUnauthorizedAuditEventTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/LoginAuditEventTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/LogoutAuditEventTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/OperationStatusAuditEventTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/StartOperationRequestAuditEventTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/AbstractBaseCreator.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/AllGetCreator.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/AllPostAndPutCreator.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/DefaultEventCreatorTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/PutHostComponentCreator.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/RequestAuditLogModule.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/audit/request/RequestAuditLoggerTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/checks/UpgradeCheckOrderTest.java
 d4ff566 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java
 ca062c0 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 f6027f3 
  
ambari-server/src/test/java/org/apache/ambari/server/notifications/DispatchFactoryTest.java
 6834d5c 
  
ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java
 3ecfe14 
  
ambari-server/src/test/java/org/apache/ambari/server/orm/JdbcPropertyTest.java 
c07382b 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authentication/AmbariAuthenticationFilterTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
 9db3904 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java
 da8d9bc 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
 d48be85 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsServiceTest.java
 c410f5b 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
 0797239 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerActionTest.java
 ce97f25 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/UpdateKerberosConfigsServerActionTest.java
 d6f9efe 
  
ambari-server/src/test/java/org/apache/ambari/server/utils/RequestUtilsTest.java
 PRE-CREATION 

Diff: https://reviews.apache.org/r/44265/diff/


Testing
-------

Unit tests are added to cover functionality. 

All tests passed on local machine.


Thanks,

Daniel Gergely