New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support audit ignore policy by actions #67477
Conversation
Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions minimal required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148
Pinging @elastic/es-security (Team:Security) |
@elasticmachine update branch |
Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine update branch |
name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException.
name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException.
authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context.
@elasticmachine update branch |
findPrivilegesThatGrant each time.
@elasticmachine update branch |
This reverts commit 79649e9
This reverts commit 96d22a4
This reverts commit 67574b2
This reverts commit 35573c8
…ndPrivilegesThatGrant each time." This reverts commit 7faa52f
…and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context." This reverts commit 72b9aef
…e same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit 7dd8fe7
…e same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit cb5bc09
This reverts commit a918da1
Getting back to action filtering
new change makes most of the comments irrelevant, need new review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with only very small nits.
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Show resolved
Hide resolved
Cleaning up some tests
@elasticmachine update branch |
Cleaning up some tests
* Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions minimal required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context. * Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time. * Support audit ignore policy by index privileges Addressing review feedback * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Revert "Support audit ignore policy by index privileges" This reverts commit 152821e * Revert "Support audit ignore policy by index privileges" This reverts commit 79649e9 * Revert "Support audit ignore policy by index privileges" This reverts commit 96d22a4 * Revert "Support audit ignore policy by index privileges" This reverts commit 67574b2 * Revert "Support audit ignore policy by index privileges" This reverts commit 35573c8 * Revert "Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time." This reverts commit 7faa52f * Revert "Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context." This reverts commit 72b9aef * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit 7dd8fe7 * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit cb5bc09 * Revert "Support audit ignore policy by index privileges" This reverts commit a918da1 * Support audit ignore policy by actions Getting back to action filtering * Support audit ignore policy by actions Cleaning up some tests * Support audit ignore policy by actions Cleaning up some tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> # Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
* Support audit ignore policy by actions Bulk operations may produce GBs of audit log events while most of them are related/identical. This change will allow to filter out events by their type of actions by creating a new audit ignore policy - actions. 'xpack.security.audit.logfile.events.ignore_filters: example1: actions: ["indices:data/write/bulk", "cluster:admin/ilm/*"]' Resolve: #60877 Related: #10836 Related: #37148 #69233
Thanks for this new feature! |
* Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions minimal required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * Support audit ignore policy by index privileges Adding new audit ignore policy - privileges For example, following policy will filter out all events, which actions required privilege is either "read" or "delete": xpack.security.audit.logfile.events.ignore_filters: example: privileges: ["read", "delete"] Resolve: elastic#60877 Related: elastic#10836 Related: elastic#37148 * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException. * Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context. * Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time. * Support audit ignore policy by index privileges Addressing review feedback * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Support audit ignore policy by index privileges Addressing review comments + changing approach: - use permission check instead of simple "checkIfGrants" - adding more testing * Revert "Support audit ignore policy by index privileges" This reverts commit 152821e * Revert "Support audit ignore policy by index privileges" This reverts commit 79649e9 * Revert "Support audit ignore policy by index privileges" This reverts commit 96d22a4 * Revert "Support audit ignore policy by index privileges" This reverts commit 67574b2 * Revert "Support audit ignore policy by index privileges" This reverts commit 35573c8 * Revert "Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time." This reverts commit 7faa52f * Revert "Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context." This reverts commit 72b9aef * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit 7dd8fe7 * Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit cb5bc09 * Revert "Support audit ignore policy by index privileges" This reverts commit a918da1 * Support audit ignore policy by actions Getting back to action filtering * Support audit ignore policy by actions Cleaning up some tests * Support audit ignore policy by actions Cleaning up some tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Bulk operations may produce GBs of audit log events
while most of them are related/identical. This change
will allow to filter out events by their type of actions by
creating a new audit ignore policy - actions.
'xpack.security.audit.logfile.events.ignore_filters:
example1:
actions: ["indices:data/write/bulk", "cluster:admin/ilm/*"]'
Resolve: #60877
Related: #10836
Related: #37148