Skip to content

Add audit logging for stream content #130594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add audit logging for stream content #130594

wants to merge 6 commits into from

Conversation

mhl-b
Copy link
Contributor

@mhl-b mhl-b commented Jul 4, 2025
edited
Loading

Add support for HTTP content audit logging for streamed content. After #129302 we can aggregate streamed content within REST layer. When INCLUDE_REQUEST_BODY setting is specified every streamed request will be aggregated in SecurityRestFilter. This flag is effectively disable streaming support.

@mhl-b mhl-b requested review from ywangd and DaveCTurner July 4, 2025 03:44
@mhl-b mhl-b marked this pull request as ready for review July 4, 2025 03:44
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label Jul 4, 2025
@mhl-b mhl-b added :Distributed Coordination/Network Http and internode communication implementations Team:Distributed Coordination Meta label for Distributed Coordination team >enhancement and removed needs:triage Requires assignment of a team area label labels Jul 4, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination)

@elasticsearchmachine
Copy link
Collaborator

Hi @mhl-b, I've created a changelog YAML for you.

ywangd
ywangd approved these changes Jul 4, 2025
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I left a somewhat important comment and appreciate if you could address it. Additionally, could you please remove the following code and maybe replace it by an assertion that the request is no longer streaming.

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditUtil.java

Lines 30 to 32 in 9be73c5

if (request.isStreamedContent()) {
return "Request body had not been received at the time of the audit event";
}

...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Comment on lines +1075 to +1077
public boolean includeRequestBody() {
return includeRequestBody;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems problematic. According to this comment, the non-volatile field includeRequestBody is guaranteed to see the latest change because it is always read after the volatile field events. It is true within LoggingAuditTrail but no longer the case if we just return it here. I think we can either also read events field here before return or having SecurityRestFilter register its own settings update consumer for the INCLUDE_REQUEST_BODY setting so that it does not need to ask LoggingAuditTrail.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecurityRestFilter needs to know both features : LoggingAuditTrail and includeRequestBody are enabled. Shouldnt be much of a difference. Kind of hacky, cutting through two layers of abstraction.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So a read for events before returnning should suffice in this case. Otherwise we may see stale value for includeRequestBody

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making includeRequestBody volatile should be cleaner then, if I still need to read a volatile field. 9351f93

DaveCTurner
DaveCTurner approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@DaveCTurner DaveCTurner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

.../plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
Comment on lines +58 to +62
if (get() instanceof LoggingAuditTrail trail) {
return trail.includeRequestBody();
} else {
return false;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one-liner?

Suggested change
if (get() instanceof LoggingAuditTrail trail) {
return trail.includeRequestBody();
} else {
return false;
}
return get() instanceof LoggingAuditTrail trail && trail.includeRequestBody();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

@DaveCTurner DaveCTurner DaveCTurner approved these changes

Assignees
No one assigned
Labels
:Distributed Coordination/Network Http and internode communication implementations >enhancement Team:Distributed Coordination Meta label for Distributed Coordination team v9.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mhl-b @elasticsearchmachine @ywangd @DaveCTurner