HDDS-6525. Add audit log for S3Gateway

[symious]

What changes were proposed in this pull request?

Currently There is no audit log for S3gateway.

This ticket is to add audit log for S3gateway

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-6525

How was this patch tested?

unit test.

[symious]

@adoroszlai @ferhui Could you help to review this PR?

[adoroszlai]

Thanks @symious for working on this.

[symious]

@adoroszlai Thank you for the detailed review.

Fixed with the comments except the default value one.
I was thinking to compare the value with defaultValue, but seems it's possible for users to use a value same as defaultValue.

[adoroszlai]

Thanks @symious for updating the patch.

There is a compile error after conflict resolution:

Error:  /home/runner/work/ozone/ozone/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/endpoint/BucketEndpoint.java:[114,20] cannot find symbol
  symbol:   variable browser
  location: class org.apache.hadoop.ozone.s3.endpoint.BucketEndpoint

[symious]

Updated, please have a look.

[adoroszlai]

Thanks @symious for updating the patch. LGTM. Can you please resolve the conflict?

[symious]

@adoroszlai Conflict solved, please have a look.

[adoroszlai]

Thanks @symious for the contribution, @ferhui for the review.

[symious]

@adoroszlai @ferhui Thanks for the review.

[kerneltime]

What is the rational for picking x-real-ip first before x-forwarded-for
For the purpose of auditing it might make sense to include both.

[symious]

Tried to find some comparisions, but can not find any definite answers:

1. X-Real-IP should probably be preferred over X-Forwarded-For in _extraClientIP directive? akka/akka-http#1670 (comment).

It seems that even though the leftmost value of X-Forwarded-For is generally the original client IP address, this is not universally so, and there exist modules for at least Apache and Nginx web servers to provide the correct resolution of the client IP address and setting it as the X-Real-IP value.

2. https://onefeed.xyz/posts/x-forwarded-for-vs-x-real-ip.html

It denpends on how much you know the network between the client and the server, and how much you trust these headers.
However, since any proxy can modify/add these headers freely, there is no guarantee the IP is of a real client.

[kerneltime]

I think for purposes of audit trail it makes sense to capture as many details as possible.

[symious]

Is this for adding both header's IP in audit log?
Currently the audit log has one field to record IP, if added multi IPs in one field, might incur some errors when users are operating on this field.

[kerneltime]

For audit purposes, it makes sense to capture the entire query sent and doing it centrally once similar to how the client IP is calculated. It will help identify bad clients who are not setting the correct params.

[symious]

Sure, I updated the generation of the audit params in a new ticket: #3325.

Could you help to check?