Support audit ignore policy by actions#67477
Merged
BigPandaToo merged 35 commits intoelastic:masterfrom Mar 1, 2021
Merged
Conversation
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
minimal required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: elastic#60877
Related: elastic#10836
Related: elastic#37148
Collaborator
|
Pinging @elastic/es-security (Team:Security) |
Contributor
Author
|
@elasticmachine update branch |
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: elastic#60877
Related: elastic#10836
Related: elastic#37148
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Show resolved
Hide resolved
Contributor
Author
|
@elasticmachine update branch |
Contributor
Author
|
@elasticmachine update branch |
name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException.
name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException.
authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context.
Contributor
Author
|
@elasticmachine update branch |
findPrivilegesThatGrant each time.
Contributor
Author
|
@elasticmachine update branch |
added 9 commits
February 22, 2021 20:00
This reverts commit 79649e9
This reverts commit 96d22a4
This reverts commit 67574b2
This reverts commit 35573c8
…ndPrivilegesThatGrant each time." This reverts commit 7faa52f
…and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context." This reverts commit 72b9aef
…e same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit 7dd8fe7
…e same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException." This reverts commit cb5bc09
This reverts commit a918da1
Getting back to action filtering
new change makes most of the comments irrelevant, need new review
albertzaharovits
approved these changes
Feb 25, 2021
Contributor
albertzaharovits
left a comment
There was a problem hiding this comment.
LGTM with only very small nits.
...security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java
Show resolved
Hide resolved
Cleaning up some tests
Contributor
Author
|
@elasticmachine update branch |
Cleaning up some tests
BigPandaToo
added a commit
to BigPandaToo/elasticsearch
that referenced
this pull request
Mar 1, 2021
* Support audit ignore policy by index privileges
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
minimal required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: elastic#60877
Related: elastic#10836
Related: elastic#37148
* Support audit ignore policy by index privileges
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: elastic#60877
Related: elastic#10836
Related: elastic#37148
* To avoid ambiguity (as cluster and index policies may have the same
name) changing implementation to have to separate policies for
`index_privileges` and `cluster_privileges`.
If both are set for the same policy, throw the IllegalArgumentException.
* To avoid ambiguity (as cluster and index policies may have the same
name) changing implementation to have to separate policies for
`index_privileges` and `cluster_privileges`.
If both are set for the same policy, throw the IllegalArgumentException.
* Fixing Api key related privilege check which expects request and
authentication by introducing overloaded
version of findPrivilegesThatGrant
just checking if privileges which can grant the action regardless of the
request and authentication context.
* Fixing a test; adding a caching mechanism to avoid calling
findPrivilegesThatGrant each
time.
* Support audit ignore policy by index privileges
Addressing review feedback
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Revert "Support audit ignore policy by index privileges"
This reverts commit 152821e
* Revert "Support audit ignore policy by index privileges"
This reverts commit 79649e9
* Revert "Support audit ignore policy by index privileges"
This reverts commit 96d22a4
* Revert "Support audit ignore policy by index privileges"
This reverts commit 67574b2
* Revert "Support audit ignore policy by index privileges"
This reverts commit 35573c8
* Revert "Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time."
This reverts commit 7faa52f
* Revert "Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context."
This reverts commit 72b9aef
* Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException."
This reverts commit 7dd8fe7
* Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException."
This reverts commit cb5bc09
* Revert "Support audit ignore policy by index privileges"
This reverts commit a918da1
* Support audit ignore policy by actions
Getting back to action filtering
* Support audit ignore policy by actions
Cleaning up some tests
* Support audit ignore policy by actions
Cleaning up some tests
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Conflicts:
# x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
BigPandaToo
added a commit
that referenced
this pull request
Mar 1, 2021
* Support audit ignore policy by actions Bulk operations may produce GBs of audit log events while most of them are related/identical. This change will allow to filter out events by their type of actions by creating a new audit ignore policy - actions. 'xpack.security.audit.logfile.events.ignore_filters: example1: actions: ["indices:data/write/bulk", "cluster:admin/ilm/*"]' Resolve: #60877 Related: #10836 Related: #37148 #69233
Contributor
|
Thanks for this new feature! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bulk operations may produce GBs of audit log events
while most of them are related/identical. This change
will allow to filter out events by their type of actions by
creating a new audit ignore policy - actions.
'xpack.security.audit.logfile.events.ignore_filters:
example1:
actions: ["indices:data/write/bulk", "cluster:admin/ilm/*"]'
Resolve: #60877
Related: #10836
Related: #37148