From 9cc2a0454dbb966273bdec06f70db35d0188775d Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Mon, 3 Oct 2016 15:09:52 +0200 Subject: [PATCH] Add asgroups to audit log --- pkg/apiserver/filters/audit.go | 17 ++++++++++++++--- pkg/apiserver/filters/audit_test.go | 2 +- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/pkg/apiserver/filters/audit.go b/pkg/apiserver/filters/audit.go index 5e745cddda4..75d437f29bf 100644 --- a/pkg/apiserver/filters/audit.go +++ b/pkg/apiserver/filters/audit.go @@ -22,11 +22,13 @@ import ( "io" "net" "net/http" + "strings" "time" "github.com/golang/glog" "github.com/pborman/uuid" + authenticationapi "k8s.io/kubernetes/pkg/apis/authentication" utilnet "k8s.io/kubernetes/pkg/util/net" ) @@ -94,18 +96,27 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out internalError(w, req, err) return } - asuser := req.Header.Get("Impersonate-User") + asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader) if len(asuser) == 0 { asuser = "" } + asgroups := "" + requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader] + if len(requestedGroups) > 0 { + quotedGroups := make([]string, len(requestedGroups)) + for i, group := range requestedGroups { + quotedGroups[i] = fmt.Sprintf("%q", group) + } + asgroups = strings.Join(quotedGroups, ", ") + } namespace := attribs.GetNamespace() if len(namespace) == 0 { namespace = "" } id := uuid.NewRandom().String() - line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q namespace=%q uri=%q\n", - time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, namespace, req.URL) + line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q asgroups=%q namespace=%q uri=%q\n", + time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, asgroups, namespace, req.URL) if _, err := fmt.Fprint(out, line); err != nil { glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err) } diff --git a/pkg/apiserver/filters/audit_test.go b/pkg/apiserver/filters/audit_test.go index 1b125fe6095..036229d2611 100644 --- a/pkg/apiserver/filters/audit_test.go +++ b/pkg/apiserver/filters/audit_test.go @@ -86,7 +86,7 @@ func TestAudit(t *testing.T) { if len(line) != 2 { t.Fatalf("Unexpected amount of lines in audit log: %d", len(line)) } - match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0]) + match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0]) if err != nil { t.Errorf("Unexpected error matching first line: %v", err) }