From 28beb4572e676b9073f400fb6ccf2720381a41d0 Mon Sep 17 00:00:00 2001 From: "Tim St. Clair" Date: Tue, 13 Jun 2017 13:04:07 -0700 Subject: [PATCH] audit: Fill in full ObjectRef, include in LevelMetadata --- .../src/k8s.io/apiserver/pkg/audit/request.go | 39 ++++++++++++------- .../apiserver/pkg/endpoints/handlers/rest.go | 8 ++-- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go index 4332ca363d7..e9a2c19fd71 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/request.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go @@ -28,7 +28,6 @@ import ( "reflect" - "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -107,17 +106,8 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a // LogRequestObject fills in the request object into an audit event. The passed runtime.Object // will be converted to the given gv. -func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersion, s runtime.NegotiatedSerializer) { - if ae == nil || ae.Level.Less(audit.LevelRequest) { - return - } - - // TODO(audit): hook into the serializer to avoid double conversion - var err error - ae.RequestObject, err = encodeObject(obj, gv, s) - if err != nil { - // TODO(audit): add error slice to audit event struct - glog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err) +func LogRequestObject(ae *audit.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) { + if ae == nil || ae.Level.Less(audit.LevelMetadata) { return } @@ -125,7 +115,7 @@ func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersio if ae.ObjectRef == nil { ae.ObjectRef = &audit.ObjectReference{} } - if acc, ok := obj.(v1.ObjectMetaAccessor); ok { + if acc, ok := obj.(metav1.ObjectMetaAccessor); ok { meta := acc.GetObjectMeta() if len(ae.ObjectRef.Namespace) == 0 { ae.ObjectRef.Namespace = meta.GetNamespace() @@ -140,6 +130,29 @@ func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersio ae.ObjectRef.ResourceVersion = meta.GetResourceVersion() } } + // TODO: ObjectRef should include the API group. + if len(ae.ObjectRef.APIVersion) == 0 { + ae.ObjectRef.APIVersion = gvr.Version + } + if len(ae.ObjectRef.Resource) == 0 { + ae.ObjectRef.Resource = gvr.Resource + } + if len(ae.ObjectRef.Subresource) == 0 { + ae.ObjectRef.Subresource = subresource + } + + if ae.Level.Less(audit.LevelRequest) { + return + } + + // TODO(audit): hook into the serializer to avoid double conversion + var err error + ae.RequestObject, err = encodeObject(obj, gvr.GroupVersion(), s) + if err != nil { + // TODO(audit): add error slice to audit event struct + glog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err) + return + } } // LogRquestPatch fills in the given patch as the request object into an audit event. diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go index 03d02bcb40c..bf7b8838536 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go @@ -442,7 +442,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, typer runtime.Object trace.Step("Conversion done") ae := request.AuditEventFrom(ctx) - audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) + audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer) if admit != nil && admit.Handles(admission.Create) { userInfo, _ := request.UserFrom(ctx) @@ -876,7 +876,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, typer runtime.ObjectType trace.Step("Conversion done") ae := request.AuditEventFrom(ctx) - audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) + audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer) if err := checkName(obj, name, namespace, scope.Namer); err != nil { scope.err(err, w, req) @@ -969,7 +969,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestSco } ae := request.AuditEventFrom(ctx) - audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) + audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer) } else { if values := req.URL.Query(); len(values) > 0 { if err := metainternalversion.ParameterCodec.DecodeParameters(values, scope.MetaGroupVersion, options); err != nil { @@ -1115,7 +1115,7 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco } ae := request.AuditEventFrom(ctx) - audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) + audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer) } }