github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #37102 from deads2k/api-45-audit-groups

Browse Source 
Automatic merge from submit-queue

add groups to the audit trail

Adds groups to the string that gets put in the audit log.

@soltysh @sttts
This commit is contained in:
Kubernetes Submit Queue 2016-12-02 08:45:04 -08:00 committed by GitHub
commit 0a976f5356
2 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/apiserver/filters/audit.go
View File

@ -96,6 +96,11 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out
internalError(w, req, err)
return
}
groups := "<none>"
if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 {
groups = auditStringSlice(userGroups)
}
asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
if len(asuser) == 0 {
asuser = "<self>"
@ -103,11 +108,7 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out
asgroups := "<lookup>"
requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader]
if len(requestedGroups) > 0 {
quotedGroups := make([]string, len(requestedGroups))
for i, group := range requestedGroups {
quotedGroups[i] = fmt.Sprintf("%q", group)
}
asgroups = strings.Join(quotedGroups, ", ")
asgroups = auditStringSlice(requestedGroups)
}
namespace := attribs.GetNamespace()
if len(namespace) == 0 {
@ -115,8 +116,8 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out
}
id := uuid.NewRandom().String()
line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q asgroups=%q namespace=%q uri=%q\n",
time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, asgroups, namespace, req.URL)
line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n",
time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), groups, asuser, asgroups, namespace, req.URL)
if _, err := fmt.Fprint(out, line); err != nil {
glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
}
@ -125,6 +126,18 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out
})
}
func auditStringSlice(inList []string) string {
if len(inList) == 0 {
return ""
}
quotedElements := make([]string, len(inList))
for i, in := range inList {
quotedElements[i] = fmt.Sprintf("%q", in)
}
return strings.Join(quotedElements, ",")
}
func decorateResponseWriter(responseWriter http.ResponseWriter, out io.Writer, id string) http.ResponseWriter {
delegate := &auditResponseWriter{ResponseWriter: responseWriter, out: out, id: id}
// check if the ResponseWriter we're wrapping is the fancy one we need

2
pkg/apiserver/filters/audit_test.go
View File

@ -86,7 +86,7 @@ func TestAudit(t *testing.T) {
if len(line) != 2 {
t.Fatalf("Unexpected amount of lines in audit log: %d", len(line))
}
match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" groups="<none>" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
if err != nil {
t.Errorf("Unexpected error matching first line: %v", err)
}