Support audit ignore policy by actions (elastic#67477)

* Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions minimal required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context. * Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time. * Support audit ignore policy by index privileges Addressing review feedback * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Revert "Support audit ignore policy by index privileges" This reverts commit 152821e * Revert "Support audit ignore policy by index privileges" This reverts commit 79649e9 * Revert "Support audit ignore policy by index privileges" This reverts commit 96d22a4 * Revert "Support audit ignore policy by index privileges" This reverts commit 67574b2 * Revert "Support audit ignore policy by index privileges" This reverts commit 35573c8 * Revert "Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time." This reverts commit 7faa52f * Revert "Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context." This reverts commit 72b9aef * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit 7dd8fe7 * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit cb5bc09 * Revert "Support audit ignore policy by index privileges" This reverts commit a918da1 * Support audit ignore policy by actions Getting back to action filtering * Support audit ignore policy by actions Cleaning up some tests * Support audit ignore policy by actions Cleaning up some tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
easyice · Mar 25, 2021 · 15e7610 · 15e7610
1 parent 393eca1
commit 15e7610
Show file tree

Hide file tree

Showing 5 changed files with 466 additions and 60 deletions.
diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc
@@ -149,6 +149,15 @@ A list of authentication realm names or wildcards. The specified policy will
 not print audit events for users in these realms.
 // end::xpack-sa-lf-events-ignore-realms-tag[]
 
+[[xpack-sa-lf-events-ignore-actions]]
+// tag::xpack-sa-lf-events-ignore-actions-tag[]
+`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.actions`::
+(<<dynamic-cluster-setting,Dynamic>>)
+A list of action names or wildcards. Action name can be found in the `action`
+field of the audit event. The specified policy will not print audit events
+for actions matching these values.
+// end::xpack-sa-lf-events-ignore-actions-tag[]
+
 [[xpack-sa-lf-events-ignore-roles]]
 // tag::xpack-sa-lf-events-ignore-roles-tag[]
 `xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles`::

diff --git a/...st/java/org/elasticsearch/xpack/security/audit/logfile/AuditTrailSettingsUpdateTests.java b/...st/java/org/elasticsearch/xpack/security/audit/logfile/AuditTrailSettingsUpdateTests.java
@@ -96,7 +96,8 @@ public void testInvalidFilterSettings() throws Exception {
         final String[] allSettingsKeys = new String[] { "xpack.security.audit.logfile.events.ignore_filters.invalid.users",
                 "xpack.security.audit.logfile.events.ignore_filters.invalid.realms",
                 "xpack.security.audit.logfile.events.ignore_filters.invalid.roles",
-                "xpack.security.audit.logfile.events.ignore_filters.invalid.indices" };
+                "xpack.security.audit.logfile.events.ignore_filters.invalid.indices",
+                "xpack.security.audit.logfile.events.ignore_filters.invalid.actions"};
         settingsBuilder.put(randomFrom(allSettingsKeys), invalidLuceneRegex);
         final IllegalArgumentException e = expectThrows(IllegalArgumentException.class,
                 () -> client().admin().cluster().prepareUpdateSettings().setTransientSettings(settingsBuilder.build()).get());
@@ -223,6 +224,12 @@ private static Settings randomFilterPolicySettings(String policyName) {
                 final List<String> filteredIndices = randomNonEmptyListOfFilteredNames();
                 settingsBuilder.putList("xpack.security.audit.logfile.events.ignore_filters." + policyName + ".indices", filteredIndices);
             }
+            if (randomBoolean()) {
+                // filter by actions
+                final List<String> filteredActions = randomNonEmptyListOfFilteredNames();
+                settingsBuilder.putList("xpack.security.audit.logfile.events.ignore_filters." + policyName + ".actions",
+                    filteredActions);
+            }
         } while (settingsBuilder.build().isEmpty());
 
         assertFalse(settingsBuilder.build().isEmpty());