Add logging implementation for AuditManager and audit more endpoints

[kfaraz]

Description

This PR adds an implementation of AuditManager that simply logs the audit events instead of persisting them to metadata store.

Sample audit log

Setup

Authentication: none
druid.audit.manager.type=log

2023-12-08T14:20:07,403 WARN [qtp972079939-170] org.apache.druid.server.audit.AuditLogger - 
User[console], identity[allowAll], IP[127.0.0.1] performed action[rules]
 on key[inline_data] with comment[Load 2 replicas in the default tier].
 Request[null],
 payload[[{"tieredReplicants":{"_default_tier":2},"useDefaultTierForNull":true,"type":"loadForever"}]].

Changes

• Add log implementation for AuditManager alongwith SQLAuditManager
• LoggingAuditManager simply logs the audit event. Thus, it returns empty for all fetchAuditHistory calls
• Add new config druid.audit.manager.type which can take values log, sql (default)
• Add new config druid.audit.manager.logLevel which can take values DEBUG, INFO, WARN. This gets activated only if type is log.
• Remove usage of ConfigSerde from AuditManager as audit is not just limited to configs
• Add AuditSerdeHelper for a single implementation of serialization/deserialization of audit payload that can be used by different AuditManager implementations

How is audit performed

All existing and new audited REST API endpoints accept two headers X-Druid-Author and X-Druid-Comment which are being used to populate the audit info. The web-console currently passes console as the value for X-Druid-Author.

An alternative to this can be to extract the authentication result set as an attribute in the HttpServletRequest and invoke authenticationResult.getIdentity().

New audited endpoints

• Post a task type=ingestion.batch
• Mark segments as unused: type=markSegmentsAsUnused
• Kill segments: type=killSegments
• Create user in basic authenticator: type=basicAuth.createUser
• Delete user in basic authenticator: type=basicAuth.deleteUser
• Update user in basic authenticator: type=basicAuth.updateUserCreds

Release note

• Add new config druid.audit.manager.type which can take values log, sql(default). This allows audited events to either be logged or persisted in metadata store (default behaviour).
• Add new config druid.audit.manager.logLevel which allows users to set the log level of audit events and can take values DEBUG, INFO(default), WARN.

---

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[abhishekagarwal87]

maybe add a test with non-empty author to see that audit event does go through?

[abhishekagarwal87]

can the type name be standardized? E.g. serviceName.api-path

[kfaraz]

Yeah, that makes sense to me.

So would something like the following work?

• coordinator.markSegmentsUnused
• coordinator.basicAuth.createUser
• overlord.postTask
• overlord.killSegments

[kfaraz]

Added a field request in AuditEntry to contain the details of path, uri, method and service.

[abhishekagarwal87]

can we filter task submissions that were initiated by the system itself? E.g. compaction duty, MSQ controller task, etc?

[kfaraz]

Yes, this is already happening inside the respective audit impls, such as SQLAuditManager and LoggingAuditManager. We check if an audited event was started by an internal service (by checking the author field) and then audit that event only if system event auditing is enabled via config (false by default).

This is better than checking at each call site if the request was initiated by an internal service.

[abhishekagarwal87]

would this be valid for any auth extension?

[kfaraz]

Yes, because we would explicitly set this as the header value when using internal clients.

Currently, we are setting it only in OverlordClientImpl.runTask but we can choose do set it in other audited endpoints too, or better yet just always set it by default in any service client. What do you think?

[abhishekagarwal87]

So its possible for a user to bypass audit system if they set this header?

[abhishekagarwal87]

seems off that the log choice is added in this module. should this be moved to some other module?

[kfaraz]

Sure, let me put this in some other module.

[abhishekagarwal87]

is this needed? can we not rely on authenticated identity instead?

[kfaraz]

This seemed much easier to implement.

I encountered some issues with the other approach:

• The authenticated identity would depend on both auth impl and configuration. I couldn't find a definite way to determine the internal service identity. Basic auth creates the druid_system user but I don't see it being used in internal communication. (On second thought, let me see if I can pull the identity from the escalated client that is being injected)
• When there is no auth, all requests get the identity allowAll.
• When auth is enabled, a user could still use the internal druid service username/password to invoke an API and bypass the audit (This is technically still possible by setting the author header to this specific value but that is less likely to happen. This is one of the reasons I chose to include a config for auditing system requests too).

Please let me know your thoughts on this.

[abhishekagarwal87]

identity and author are KillCompactionConfig?

[kfaraz]

Thanks for catching this. Since we are revisiting auditing in this PR, I guess it would be better to use druid_system or something as the author instead.

[kfaraz]

Thanks for the review, @abhishekagarwal87 !
Merging since the IT failure is not caused by this set of change.

[xvrl]

@kfaraz the master build started failing for some middle-manager integration tests after merging your PR, could you take a look?

[kfaraz]

Yes, @xvrl , I am trying to debug that issue here #15561. It seems like a flaky test as it does seem to pass sometimes. But the flakiness has become pronounced after the changes in this auditing PR somehow.