Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit Logging for Extensions #5

Merged
merged 2 commits into from
Jun 27, 2023
Merged

Audit Logging for Extensions #5

merged 2 commits into from
Jun 27, 2023

Conversation

MaciejMierzwa
Copy link

@MaciejMierzwa MaciejMierzwa commented Jun 22, 2023
edited
Loading

Description

Turn on audit logging in SecurityRestFilter that logs rest requests on endpoints registered by extensions.

  • Category (Enhancement)
  • Why these changes are required?
  • What is the old behavior before changes and new behavior after changes?
    The behavior before changes was that audit logging wasn't performed. After changes rest requests are logged.

Issues Resolved

#2700

Testing

Manual testing was performed based on examples provided in pr: #2753, for task: #2752

Audit logging config:

{
    "_readonly": [],
    "config":
        "enabled": true,
        "audit": {
            "ignore_users": [],
            "ignore_requests": [],
            "disabled_rest_categories": [],
            "disabled_transport_categories": [],
            "enable_transport": true,
            "enable_rest": true,
            "log_request_body": true,
            "resolve_indices": true,
            "resolve_bulk_requests": true,
            "exclude_sensitive_headers": true
        }
    }
}

Request/Response:

curl -XGET https://new-user:admin@localhost:9200/_extensions/_hw/hello --insecure
Hello, World

AuditLog:
[{ "_index": "security-auditlog-2023.06.22", "_id": "sOu-4ogByQU68dEm3NGb", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "maciej-Legion-5-15ACH6", "audit_rest_request_method": "GET", "audit_category": "GRANTED_PRIVILEGES", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "2023-06-22T10:55:39.163+00:00", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431339163 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "r-u-4ogByQU68dEm3NGa", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "maciej-Legion-5-15ACH6", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "GET", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "2023-06-22T10:55:39.161+00:00", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431339161 ] }]

Request/Response:

curl -XPUT https://new-user:admin@localhost:9200/_extensions/_hw/hello/HW --insecure -H 'Content-Type: application/json' -d '{}'
Updated the world's name to HW

AuditLog:
[ { "_index": "security-auditlog-2023.06.22", "_id": "s-vF4ogByQU68dEmDdEg", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_rest_request_params": { "name": "HW" }, "audit_node_name": "node_name", "audit_rest_request_method": "PUT", "audit_category": "GRANTED_PRIVILEGES", "audit_request_origin": "REST", "audit_request_body": "{}", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello/HW", "@timestamp": "timestamp", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "2" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431744800 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "tOvF4ogByQU68dEmDdEg", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_rest_request_params": { "name": "HW" }, "audit_node_name": "node_name", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "PUT", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_request_body": "{}", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello/HW", "@timestamp": "timestamp", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "2" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431744799 ]]
Request/Response

curl -XGET https://new-user:admin@localhost:9200/_extensions/_hw/hello --insecurextensions/_hw/hello --insecure
Hello, HW!

AuditLog:
[ { "_index": "security-auditlog-2023.06.22", "_id": "uOvH4ogByQU68dEmNdES", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_rest_request_method": "GET", "audit_category": "GRANTED_PRIVILEGES", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431886098 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "t-vH4ogByQU68dEmNdER", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "GET", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431886097 ] }]

Request/Response:

curl -XPOST https://new-user:admin@localhost:9200/_extensions/_hw/hello --insecure -H 'Content-Type: application/json' -d '{ }'
no permissions for [hw:greet_with_adjective] and User [name=new-user, backend_roles=[], requestedTenant=null]%

AuditLog:
[ { "_index": "security-auditlog-2023.06.22", "_id": "vOvI4ogByQU68dEmQ9Ha", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_rest_request_method": "POST", "audit_category": "MISSING_PRIVILEGES", "audit_request_origin": "REST", "audit_request_body": "{ }", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "3" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431955417 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "u-vI4ogByQU68dEmQ9HY", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "POST", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_request_body": "{ }", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "3" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687431955416 ] }]
Request/Response:

//before performing this request create role-mapping extension_hw_full -> new-user
curl -XPOST https://new-user:admin@localhost:9200/_extensions/_hw/hello --insecure -H 'Content-Type: application/json' -d '{ }'
{"worldAdjectives":["{ }"]}

AuditLog:
[{ "_index": "security-auditlog-2023.06.22", "_id": "fB714ogBq1SgHk27qmi9", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_rest_request_method": "POST", "audit_category": "GRANTED_PRIVILEGES", "audit_request_origin": "REST", "audit_request_body": "{ }", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "3" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687434930875 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "ex714ogBq1SgHk27PGgf", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "POST", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_request_body": "{ }", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/hello", "@timestamp": "timestamp", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "content-length": [ "3" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "content-type": [ "application/json" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687434893142 ] }]

Request/Response:

curl -XDELETE https://new-user:admin@localhost:9200/_extensions/_hw/goodbye --insecure
Goodbye, cruel world! Restored default values

AuditLog:
[{ "_index": "security-auditlog-2023.06.22", "_id": "gB7_4ogBq1SgHk27Lmi_", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_rest_request_method": "DELETE", "audit_category": "GRANTED_PRIVILEGES", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/goodbye", "@timestamp": "timestamp", "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687435554493 ] }, { "_index": "security-auditlog-2023.06.22", "_id": "fx7_4ogBq1SgHk27IGgh", "_score": null, "_source": { "audit_cluster_name": "opensearch", "audit_node_name": "node_name", "audit_request_initiating_user": "new-user", "audit_rest_request_method": "DELETE", "audit_category": "AUTHENTICATED", "audit_request_origin": "REST", "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ", "audit_request_layer": "REST", "audit_rest_request_path": "/_extensions/_hw/goodbye", "@timestamp": "timestamp", "audit_request_effective_user_is_admin": false, "audit_format_version": 4, "audit_request_remote_address": "127.0.0.1", "audit_node_host_address": "127.0.0.1", "audit_rest_request_headers": { "x-http2-stream-id": [ "1" ], "host": [ "localhost:9200" ], "x-http2-scheme": [ "https" ], "user-agent": [ "curl/7.81.0" ], "accept": [ "*/*" ] }, "audit_request_effective_user": "new-user", "audit_node_host_name": "127.0.0.1" }, "sort": [ 1687435545536 ] }]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@MaciejMierzwa
turn on audit logging
8503358 
Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
@MaciejMierzwa MaciejMierzwa changed the title turn on audit logging Audit Logging for Extensions Jun 22, 2023
DarshitChanpura
DarshitChanpura reviewed Jun 22, 2023
View reviewed changes
src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
} else {
// auditLog.logMissingPrivileges(action, request, task);
auditLog.logMissingPrivileges(route.name(), user.getName(), request);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a difference in adding this route.name() here? Maybe i missed it in the logs you posted

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right, it didn't do anything. It turns about this parameter wasn't used anywhere in one of the methods down the line. Added it in AbstractAuditLog and here's how logs look like now:
audit_request_privilege is logged correctly

{
                "_index": "security-auditlog-2023.06.23",
                "_id": "KJVs54gBDjJ9Ce5u7dZD",
                "_score": null,
                "_source": {
                    "audit_cluster_name": "opensearch",
                    "audit_node_name": "node",
                    "audit_rest_request_method": "POST",
                    "audit_category": "MISSING_PRIVILEGES",
                    "audit_request_origin": "REST",
                    "audit_request_body": "{ }",
                    "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ",
                    "audit_request_layer": "REST",
                    "audit_rest_request_path": "/_extensions/_hw/hello",
                    "@timestamp": "2023-06-23T08:44:15.545+00:00",
                    "audit_format_version": 4,
                    "audit_request_remote_address": "127.0.0.1",
                    "audit_request_privilege": "hw:greet_with_adjective",
                    "audit_node_host_address": "127.0.0.1",
                    "audit_rest_request_headers": {
                        "x-http2-stream-id": [
                            "1"
                        ],
                        "content-length": [
                            "3"
                        ],
                        "host": [
                            "localhost:9200"
                        ],
                        "x-http2-scheme": [
                            "https"
                        ],
                        "content-type": [
                            "application/json"
                        ],
                        "user-agent": [
                            "curl/7.81.0"
                        ],
                        "accept": [
                            "*/*"
                        ]
                    },
                    "audit_request_effective_user": "new-user",
                    "audit_node_host_name": "127.0.0.1"
                },
                "sort": [
                    1687509855545
                ]
            },
            {
                "_index": "security-auditlog-2023.06.23",
                "_id": "J5Vs54gBDjJ9Ce5u7dZD",
                "_score": null,
                "_source": {
                    "audit_cluster_name": "opensearch",
                    "audit_node_name": "node",
                    "audit_request_initiating_user": "new-user",
                    "audit_rest_request_method": "POST",
                    "audit_category": "AUTHENTICATED",
                    "audit_request_origin": "REST",
                    "audit_request_body": "{ }",
                    "audit_node_id": "dwo7slt-SYiWN0z_aajNYQ",
                    "audit_request_layer": "REST",
                    "audit_rest_request_path": "/_extensions/_hw/hello",
                    "@timestamp": "2023-06-23T08:44:12.445+00:00",
                    "audit_request_effective_user_is_admin": false,
                    "audit_format_version": 4,
                    "audit_request_remote_address": "127.0.0.1",
                    "audit_node_host_address": "127.0.0.1",
                    "audit_rest_request_headers": {
                        "x-http2-stream-id": [
                            "1"
                        ],
                        "content-length": [
                            "3"
                        ],
                        "host": [
                            "localhost:9200"
                        ],
                        "x-http2-scheme": [
                            "https"
                        ],
                        "content-type": [
                            "application/json"
                        ],
                        "user-agent": [
                            "curl/7.81.0"
                        ],
                        "accept": [
                            "*/*"
                        ]
                    },
                    "audit_request_effective_user": "new-user",
                    "audit_node_host_name": "127.0.0.1"
                },
                "sort": [
                    1687509852445
                ]
            }

@MaciejMierzwa
add privileges info
3c397e2 
Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
@DarshitChanpura DarshitChanpura merged commit e7d10c7 into DarshitChanpura:authorize-rest-requests Jun 27, 2023
This was referenced Jul 31, 2023
Closed
Merged
DarshitChanpura pushed a commit to opensearch-project/security that referenced this pull request Aug 7, 2023
@MaciejMierzwa
SecurityRestFilter, authorizeRequest() audit log tests (#3084)
07f791a 
### Description

Adding tests for
#2700, relevant PR:
DarshitChanpura#5. The goal is to test
audit logs hit in authorizeRequest() method from
SecurityRestFilterExtension class.
Issues Resolved:

#2700
### Testing
Integration testing added
### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff



Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MaciejMierzwa @DarshitChanpura