Repository: cassandra Updated Branches: refs/heads/trunk 131080371 -> f46762eec
Audit log allows system keyspaces to be audited via configuration options Patch by Vinay Chella; reviewed by Per Otterström and marcuse for CASSANDRA-14498 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/f46762ee Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/f46762ee Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/f46762ee Branch: refs/heads/trunk Commit: f46762eeca9f5d7e32e731573a8c3e521b70fc05 Parents: 1310803 Author: Vinay Chella <vinaykumar...@gmail.com> Authored: Fri Nov 16 15:18:50 2018 -0800 Committer: Marcus Eriksson <marc...@apache.org> Committed: Mon Nov 19 12:34:34 2018 +0100 ---------------------------------------------------------------------- CHANGES.txt | 1 + conf/cassandra.yaml | 2 +- doc/source/operating/audit_logging.rst | 7 +++-- .../apache/cassandra/audit/AuditLogManager.java | 8 +---- .../apache/cassandra/audit/AuditLogOptions.java | 3 +- .../apache/cassandra/audit/AuditLoggerTest.java | 33 ++++++++++++++++++++ .../cassandra/db/virtual/SettingsTableTest.java | 2 +- 7 files changed, 44 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index c77e7ed..362677a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 4.0 + * Audit log allows system keyspaces to be audited via configuration options (CASSANDRA-14498) * Lower default chunk_length_in_kb from 64kb to 16kb (CASSANDRA-13241) * Startup checker should wait for count rather than percentage (CASSANDRA-14297) * Fix incorrect sorting of replicas in SimpleStrategy.calculateNaturalReplicas (CASSANDRA-14862) http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/conf/cassandra.yaml ---------------------------------------------------------------------- diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml index 0a92d4c..2d5cdd3 100644 --- a/conf/cassandra.yaml +++ b/conf/cassandra.yaml @@ -1232,7 +1232,7 @@ audit_logging_options: logger: BinAuditLogger # audit_logs_dir: # included_keyspaces: - # excluded_keyspaces: + # excluded_keyspaces: system, system_schema, system_virtual_schema # included_categories: # excluded_categories: # included_users: http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/doc/source/operating/audit_logging.rst ---------------------------------------------------------------------- diff --git a/doc/source/operating/audit_logging.rst b/doc/source/operating/audit_logging.rst index b073f1a..6cfd141 100644 --- a/doc/source/operating/audit_logging.rst +++ b/doc/source/operating/audit_logging.rst @@ -69,7 +69,7 @@ cassandra.yaml configurations for AuditLog - ``logger``: Class name of the logger/ custom logger. - ``audit_logs_dir``: Auditlogs directory location, if not set, default to `cassandra.logdir.audit` or `cassandra.logdir` + /audit/ - ``included_keyspaces``: Comma separated list of keyspaces to be included in audit log, default - includes all keyspaces - - ``excluded_keyspaces``: Comma separated list of keyspaces to be excluded from audit log, default - excludes no keyspace + - ``excluded_keyspaces``: Comma separated list of keyspaces to be excluded from audit log, default - excludes no keyspace except `system`, `system_schema` and `system_virtual_schema` - ``included_categories``: Comma separated list of Audit Log Categories to be included in audit log, default - includes all categories - ``excluded_categories``: Comma separated list of Audit Log Categories to be excluded from audit log, default - excludes no category - ``included_users``: Comma separated list of users to be included in audit log, default - includes all users @@ -96,7 +96,10 @@ Options ``--excluded-keyspaces`` Comma separated list of keyspaces to be excluded for audit log. If - not set the value from cassandra.yaml will be used + not set the value from cassandra.yaml will be used. + Please remeber that `system`, `system_schema` and `system_virtual_schema` are excluded by default, + if you are overwriting this option via nodetool, + remember to add these keyspaces back if you dont want them in audit logs ``--excluded-users`` Comma separated list of users to be excluded for audit log. If not http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/src/java/org/apache/cassandra/audit/AuditLogManager.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/audit/AuditLogManager.java b/src/java/org/apache/cassandra/audit/AuditLogManager.java index 041bdee..d11eaa0 100644 --- a/src/java/org/apache/cassandra/audit/AuditLogManager.java +++ b/src/java/org/apache/cassandra/audit/AuditLogManager.java @@ -122,19 +122,13 @@ public class AuditLogManager return fullQueryLogger.enabled(); } - private boolean isSystemKeyspace(String keyspaceName) - { - return SchemaConstants.isLocalSystemKeyspace(keyspaceName); - } - /** * Logs AuditLogEntry to standard audit logger * @param logEntry AuditLogEntry to be logged */ private void logAuditLoggerEntry(AuditLogEntry logEntry) { - if ((logEntry.getKeyspace() == null || !isSystemKeyspace(logEntry.getKeyspace())) - && !filter.isFiltered(logEntry)) + if (!filter.isFiltered(logEntry)) { auditLogger.log(logEntry); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/src/java/org/apache/cassandra/audit/AuditLogOptions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/audit/AuditLogOptions.java b/src/java/org/apache/cassandra/audit/AuditLogOptions.java index 3d0efa3..06577cc 100644 --- a/src/java/org/apache/cassandra/audit/AuditLogOptions.java +++ b/src/java/org/apache/cassandra/audit/AuditLogOptions.java @@ -26,7 +26,8 @@ public class AuditLogOptions extends BinLogOptions public volatile boolean enabled = false; public String logger = BinAuditLogger.class.getSimpleName(); public String included_keyspaces = StringUtils.EMPTY; - public String excluded_keyspaces = StringUtils.EMPTY; + // CASSANDRA-14498: By default, system, system_schema and system_virtual_schema are excluded, but these can be included via cassandra.yaml + public String excluded_keyspaces = "system,system_schema,system_virtual_schema"; public String included_categories = StringUtils.EMPTY; public String excluded_categories = StringUtils.EMPTY; public String included_users = StringUtils.EMPTY; http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/test/unit/org/apache/cassandra/audit/AuditLoggerTest.java ---------------------------------------------------------------------- diff --git a/test/unit/org/apache/cassandra/audit/AuditLoggerTest.java b/test/unit/org/apache/cassandra/audit/AuditLoggerTest.java index 40eadf8..ac73504 100644 --- a/test/unit/org/apache/cassandra/audit/AuditLoggerTest.java +++ b/test/unit/org/apache/cassandra/audit/AuditLoggerTest.java @@ -588,6 +588,39 @@ public class AuditLoggerTest extends CQLTester assertEquals(0, ((InMemoryAuditLogger) AuditLogManager.getInstance().getLogger()).inMemQueue.size()); } + @Test + public void testIncludeSystemKeyspaces() throws Throwable + { + AuditLogOptions options = new AuditLogOptions(); + options.included_categories = "QUERY,DML,PREPARE"; + options.excluded_keyspaces = "system_schema"; + enableAuditLogOptions(options); + + Session session = sessionNet(); + String cql = "SELECT * FROM system.local limit 2"; + ResultSet rs = session.execute(cql); + + assertEquals (1,((InMemoryAuditLogger) AuditLogManager.getInstance().getLogger()).inMemQueue.size()); + AuditLogEntry logEntry = ((InMemoryAuditLogger) AuditLogManager.getInstance().getLogger()).inMemQueue.poll(); + assertLogEntry(cql, "local",AuditLogEntryType.SELECT,logEntry,false, "system"); + assertEquals (0,((InMemoryAuditLogger) AuditLogManager.getInstance().getLogger()).inMemQueue.size()); + } + + @Test + public void testExcludeSystemKeyspaces() throws Throwable + { + AuditLogOptions options = new AuditLogOptions(); + options.included_categories = "QUERY,DML,PREPARE"; + options.excluded_keyspaces = "system"; + enableAuditLogOptions(options); + + Session session = sessionNet(); + String cql = "SELECT * FROM system.local limit 2"; + ResultSet rs = session.execute(cql); + + assertEquals (0,((InMemoryAuditLogger) AuditLogManager.getInstance().getLogger()).inMemQueue.size()); + } + /** * Helper methods for Audit Log CQL Testing */ http://git-wip-us.apache.org/repos/asf/cassandra/blob/f46762ee/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java ---------------------------------------------------------------------- diff --git a/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java b/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java index 927835f..3e56661 100644 --- a/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java +++ b/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java @@ -196,7 +196,7 @@ public class SettingsTableTest extends CQLTester config.audit_logging_options.included_keyspaces = "included_keyspaces"; check(pre + "included_keyspaces", "included_keyspaces"); - check(pre + "excluded_keyspaces", ""); + check(pre + "excluded_keyspaces", "system,system_schema,system_virtual_schema"); config.audit_logging_options.excluded_keyspaces = "excluded_keyspaces"; check(pre + "excluded_keyspaces", "excluded_keyspaces"); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org