Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CDAP-21105] Collecting Audit Log Meta Data independently at ACH's readChannel's finally and AuditLogSetterHook. And Create AuditLogRequest in write/close call. #15790

Merged
merged 1 commit into from
Jan 13, 2025

Conversation

sahusanket
Copy link
Contributor

@sahusanket sahusanket commented Jan 3, 2025

The Existing flow / Expectation :

ABCHttpHandler (gets AuditLogs in SecurityRequestContext[SRC] )
-> AuditLogSetterHook (populates Metadata + gets AuditLogs from SRC and creates AuditLogReq and sets in SRC)
--> AuthChannelHandler#readChannel's Finally (Sets the AuditLogRequest in Attribute of channel)
---> AuthChannelHandler#write (gets the AuditLogRequest from Attribute of channel and publishes)

Problem incase of ArtifactHttpHandler#addArtifact:

The AuditLogSetterHook is called after AuthChannelHandler#readChannel's Finally

ArtifactHttpHandler (gets AuditLogs in SecurityRequestContext[SRC] )
-> AuthChannelHandler#readChannel's Finally (Sets the AuditLogRequest in Attribute of channel BUT THIS IS NULL)
--> AuditLogSetterHook (populates Metadata + gets AuditLogs from SRC and creates AuditLogReq and sets in SRC)
---> AuthChannelHandler#write (gets the AuditLogRequest from Attribute of channel and publishes)

The Fix :

Independently Collect info in AuditLogSetterHook and AuthChannelHandler#readChannel's Finally and Later construct the AuditLogRequest by collecting info stored by above methods.

Testing :

  • validated that audit logs are published in DEV ENV of googlecloud for AddArtifact / Createnamespace.

@sahusanket sahusanket self-assigned this Jan 3, 2025
@sahusanket sahusanket added the build Triggers github actions build label Jan 3, 2025
@sahusanket sahusanket force-pushed the CDAP-21105_fix_addArtifact_auditlog branch 6 times, most recently from c694c25 to 34bdaa7 Compare January 7, 2025 11:35
@sahusanket sahusanket requested a review from tivv January 7, 2025 15:28
/**
* Sets
* Sets audit log metadata to {@link SecurityRequestContext}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix checkstyles

endTime
)
);
SecurityRequestContext.setAuditMetaDataInMap(AuditLogRequest.PropKey.OP_RESP_CODE, status.code());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please create a builder class for AutditLogRequest and use it here? It would be much better than using a Map. You can have different methods set different fields in the builder and later you just call build.

@sahusanket sahusanket force-pushed the CDAP-21105_fix_addArtifact_auditlog branch from 842a8a3 to 2628ce9 Compare January 8, 2025 06:23
Copy link
Contributor

@tivv tivv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with minor comments

auditLogWriter.publish((AuditLogRequest) auditLogRequestObj);
ctx.channel().attr(AttributeKey.valueOf(AUDIT_LOG_REQ_ATTR_NAME)).set(null);
AuditLogRequest auditLogRequest = getAuditLogRequest(ctx);
if (auditLoggingEnabled && auditLogRequest != null ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you skip getAuditLogRequest work if it's not enabled?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -118,31 +121,35 @@ public void testWriteWithAuditLogging() throws Exception {
public void testCloseWithAuditLogging() throws Exception {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a test with other order of the calls, so that we test the use ca that was failing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added for both cases.

@sahusanket sahusanket force-pushed the CDAP-21105_fix_addArtifact_auditlog branch from 2628ce9 to 2d8d092 Compare January 10, 2025 09:30
…adChannel's finally and AuditLogSetterHook. And Create AuditLogRequest in write/close call.
@sahusanket sahusanket force-pushed the CDAP-21105_fix_addArtifact_auditlog branch from 2d8d092 to 2044739 Compare January 10, 2025 14:49
@sahusanket sahusanket merged commit e45af1b into develop Jan 13, 2025
8 of 9 checks passed
@sahusanket sahusanket deleted the CDAP-21105_fix_addArtifact_auditlog branch January 13, 2025 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Triggers github actions build
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants