授权阶段添加审计日志功能 / Add Audit Logging for Authorization Phase

[lujiefsi]

Search before asking

• I searched in the issues and found nothing similar.

Motivation

目前IoTDB仅在认证阶段（用户登录时）添加了审计日志，但在授权阶段（权限检查时）没有相应的审计日志记录。这使得系统管理员无法追踪和审计用户的权限访问行为，增加了安全风险。在安全敏感的环境中，完整的审计日志对于满足合规要求和进行安全分析至关重要。

Currently, IoTDB only adds audit logs during the authentication phase (when users log in), but there are no corresponding audit log records during the authorization phase (when permission checks occur). This prevents system administrators from tracking and auditing user permission access behaviors, increasing security risks. In security-sensitive environments, comprehensive audit logging is essential for meeting compliance requirements and conducting security analysis.

Solution

建议在授权阶段（AuthorityChecker.checkAuthority方法）添加审计日志记录，类似于认证阶段的实现方式。具体来说，在org.apache.iotdb.db.auth.AuthorityChecker类的checkAuthority方法中，当进行权限检查时，应该记录以下信息：

• 用户名
• 访问的资源（路径、数据库、表等）
• 请求的权限类型
• 权限检查的结果（成功/失败）
• 时间戳

I suggest adding audit log records during the authorization phase (AuthorityChecker.checkAuthority method), similar to the implementation in the authentication phase. Specifically, in the checkAuthority method of the org.apache.iotdb.db.auth.AuthorityChecker class, when performing permission checks, the following information should be recorded:

• Username
• Accessed resource (path, database, table, etc.)
• Requested permission type
• Result of permission check (success/failure)
• Timestamp

参考现有的认证阶段审计日志实现（SessionManager类中的login方法），可以使用AuditLogger类来记录这些信息。例如：

Referring to the existing authentication phase audit log implementation (login method in the SessionManager class), the AuditLogger class can be used to record this information. For example:

if (ENABLE_AUDIT_LOG) {
  AuditLogger.log(
      String.format(
          "User %s %s access to %s with privilege %s",
          username,
          (result ? "granted" : "denied"),
          resourcePath,
          privilegeType),
      statement);
}

此外，在org.apache.iotdb.db.protocol.rest.handler.AuthorizationHandler类的checkAuthority方法中也应添加类似的审计日志记录，以覆盖REST API的授权检查。

Additionally, similar audit log records should be added to the checkAuthority method in the org.apache.iotdb.db.protocol.rest.handler.AuthorizationHandler class to cover authorization checks for REST APIs.

Alternatives

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[github-actions]

Hi, this is your first issue in IoTDB project. Thanks for your report. Welcome to join the community!

[HTHou]

It makes sense. We will consider to implement it. Thank you so much!