Skip to content

Add audit logging for stream content#130594

Merged
mhl-b merged 6 commits intoelastic:mainfrom
mhl-b:aggregating-audit-trail
Jul 7, 2025
Merged

Add audit logging for stream content#130594
mhl-b merged 6 commits intoelastic:mainfrom
mhl-b:aggregating-audit-trail

Conversation

@mhl-b
Copy link
Contributor

@mhl-b mhl-b commented Jul 4, 2025
edited
Loading

Add support for HTTP content audit logging for streamed content. After #129302 we can aggregate streamed content within REST layer. When INCLUDE_REQUEST_BODY setting is specified every streamed request will be aggregated in SecurityRestFilter. This flag is effectively disable streaming support.
@mhl-b mhl-b requested review from DaveCTurner and ywangd July 4, 2025 03:44
@mhl-b mhl-b marked this pull request as ready for review July 4, 2025 03:44
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label Jul 4, 2025
@mhl-b mhl-b added :Distributed/Network Http and internode communication implementations Team:Distributed Coordination (obsolete) Meta label for Distributed Coordination team. Obsolete. Please do not use. >enhancement and removed needs:triage Requires assignment of a team area label labels Jul 4, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jul 4, 2025

Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jul 4, 2025

Hi @mhl-b, I've created a changelog YAML for you.
ywangd
ywangd approved these changes Jul 4, 2025
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I left a somewhat important comment and appreciate if you could address it. Additionally, could you please remove the following code and maybe replace it by an assertion that the request is no longer streaming.

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditUtil.java

Lines 30 to 32 in 9be73c5

if (request.isStreamedContent()) {
return "Request body had not been received at the time of the audit event";
}

...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Comment on lines +1075 to +1077
public boolean includeRequestBody() {
return includeRequestBody;
}
Copy link
Member

@ywangd ywangd Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems problematic. According to this comment, the non-volatile field includeRequestBody is guaranteed to see the latest change because it is always read after the volatile field events. It is true within LoggingAuditTrail but no longer the case if we just return it here. I think we can either also read events field here before return or having SecurityRestFilter register its own settings update consumer for the INCLUDE_REQUEST_BODY setting so that it does not need to ask LoggingAuditTrail.
Copy link
Contributor Author

@mhl-b mhl-b Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecurityRestFilter needs to know both features : LoggingAuditTrail and includeRequestBody are enabled. Shouldnt be much of a difference. Kind of hacky, cutting through two layers of abstraction.
Copy link
Member

@ywangd ywangd Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So a read for events before returnning should suffice in this case. Otherwise we may see stale value for includeRequestBody
Copy link
Contributor Author

@mhl-b mhl-b Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making includeRequestBody volatile should be cleaner then, if I still need to read a volatile field. 9351f93
DaveCTurner
DaveCTurner approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@DaveCTurner DaveCTurner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
Comment on lines +58 to +62
if (get() instanceof LoggingAuditTrail trail) {
return trail.includeRequestBody();
} else {
return false;
}
Copy link
Contributor

@DaveCTurner DaveCTurner Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one-liner?

Suggested change
if (get() instanceof LoggingAuditTrail trail) {
return trail.includeRequestBody();
} else {
return false;
}
return get() instanceof LoggingAuditTrail trail && trail.includeRequestBody();
@mhl-b mhl-b merged commit 209caaf into elastic:main Jul 7, 2025
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

:Distributed/Network Http and internode communication implementations >enhancement Team:Distributed Coordination (obsolete) Meta label for Distributed Coordination team. Obsolete. Please do not use. v9.2.0

4 participants

@mhl-b @elasticsearchmachine @ywangd @DaveCTurner