save

apache · Dec 8, 2022 · 34028bf · 34028bf
1 parent 0df4381
commit 34028bf
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 16 deletions.
diff --git a/...c/main/scala/org/apache/kyuubi/server/http/authentication/AuthenticationAuditLogger.scala b/...c/main/scala/org/apache/kyuubi/server/http/authentication/AuthenticationAuditLogger.scala
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.server.http.authentication
+
+import javax.servlet.http.{HttpServletRequest, HttpServletResponse}
+
+import org.apache.kyuubi.Logging
+import org.apache.kyuubi.server.http.authentication.AuthenticationFilter.{HTTP_CLIENT_IP_ADDRESS, HTTP_CLIENT_USER_NAME, HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS}
+
+object AuthenticationAuditLogger extends Logging {
+  final val AUDIT_BUFFER = new ThreadLocal[StringBuilder]() {
+    override protected def initialValue: StringBuilder = new StringBuilder()
+  }
+
+  def audit(request: HttpServletRequest, response: HttpServletResponse): Unit = {
+    val sb = AUDIT_BUFFER.get()
+    sb.setLength(0)
+    sb.append(s"user=${HTTP_CLIENT_USER_NAME.get()}").append("\t")
+    sb.append(s"ip=${HTTP_CLIENT_IP_ADDRESS.get()}").append("\t")
+    sb.append(s"proxyIp=${HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.get()}").append("\t")
+    sb.append(s"method=${request.getMethod}").append("\t")
+    sb.append(s"uri=${request.getRequestURI}").append("\t")
+    sb.append(s"protocol=${request.getProtocol}").append("\t")
+    sb.append(s"status=${response.getStatus}")
+    info(sb.toString())
+  }
+}
diff --git a/...er/src/main/scala/org/apache/kyuubi/server/http/authentication/AuthenticationFilter.scala b/...er/src/main/scala/org/apache/kyuubi/server/http/authentication/AuthenticationFilter.scala
@@ -106,27 +106,29 @@ class AuthenticationFilter(conf: KyuubiConf) extends Filter with Logging {
 
     val authorization = httpRequest.getHeader(AUTHORIZATION_HEADER)
     val matchedHandler = getMatchedHandler(authorization).orNull
+    HTTP_CLIENT_IP_ADDRESS.set(httpRequest.getRemoteAddr)
+    HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.set(
+      httpRequest.getHeader(conf.get(FRONTEND_PROXY_HTTP_CLIENT_IP_HEADER)))
 
     if (matchedHandler == null) {
       debug(s"No auth scheme matched for url: ${httpRequest.getRequestURL}")
       httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED)
+      AuthenticationAuditLogger.audit(httpRequest, httpResponse)
       httpResponse.sendError(
         HttpServletResponse.SC_UNAUTHORIZED,
         s"No auth scheme matched for $authorization")
     } else {
-      HTTP_CLIENT_IP_ADDRESS.set(httpRequest.getRemoteAddr)
-      HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.set(
-        httpRequest.getHeader(conf.get(FRONTEND_PROXY_HTTP_CLIENT_IP_HEADER)))
       try {
         val authUser = matchedHandler.authenticate(httpRequest, httpResponse)
         if (authUser != null) {
           HTTP_CLIENT_USER_NAME.set(authUser)
           doFilter(filterChain, httpRequest, httpResponse)
         }
+        AuthenticationAuditLogger.audit(httpRequest, httpResponse)
       } catch {
         case e: AuthenticationException =>
           httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN)
-          auditHttpRequest(httpRequest, httpResponse)
+          AuthenticationAuditLogger.audit(httpRequest, httpResponse)
           HTTP_CLIENT_USER_NAME.remove()
           HTTP_CLIENT_IP_ADDRESS.remove()
           HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.remove()
@@ -178,15 +180,4 @@ object AuthenticationFilter extends Logging {
   def getUserProxyHeaderIpAddress: String = HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.get()
 
   def getUserName: String = HTTP_CLIENT_USER_NAME.get
-
-  def auditHttpRequest(request: HttpServletRequest, response: HttpServletResponse): Unit = {
-    info(Array(
-      s"user=${HTTP_CLIENT_USER_NAME.get()}",
-      s"ip=${request.getRemoteAddr}",
-      s"proxyIp=${HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.get()}",
-      s"method=${request.getMethod}",
-      s"uri=${request.getRequestURI}",
-      s"protocol=${request.getProtocol}",
-      s"status=${response.getStatus}").mkString("\t"))
-  }
 }
diff --git a/.../scala/org/apache/kyuubi/server/http/authentication/KyuubiHttpAuthenticationFactory.scala b/.../scala/org/apache/kyuubi/server/http/authentication/KyuubiHttpAuthenticationFactory.scala
@@ -77,7 +77,6 @@ class KyuubiHttpAuthenticationFactory(conf: KyuubiConf) {
             MetricsSystem.tracing { ms =>
               ms.decCount(REST_CONN_OPEN)
             }
-            AuthenticationFilter.auditHttpRequest(request, response)
             AuthenticationFilter.HTTP_CLIENT_USER_NAME.remove()
             AuthenticationFilter.HTTP_CLIENT_IP_ADDRESS.remove()
             AuthenticationFilter.HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.remove()