Open zhongnansu opened 2 years ago
https://github.com/elastic/kibana/issues/52125 Original PR to initialize Audit service: https://github.com/elastic/kibana/pull/69278
Action | Distinguishing fields |
---|---|
Create datasource | {"action": "create", "resources": [{"type": "datasource"}]} |
Update datasource | {"action": "update", "resources": [{"type": "datasource"}]} |
Delete datasource | {"action": "delete", "resources": [{"type": "datasource"}]} |
Enable permissions for datasource | {"action": "enable-permissions", "resources": [{"type": "datasource"}]} |
Disable permissions for datasource | {"action": "disable-permissions", "resources": [{"type": "datasource"}]} |
Grant datasource permission to role, team, or user | {"action": "create", "resources": [{"type": "datasource"}, {"type": "dspermission"}]}* |
Remove datasource permission | {"action": "delete", "resources": [{"type": "datasource"}, {"type": "dspermission"}]} |
Enable caching for datasource | {"action": "enable-cache", "resources": [{"type": "datasource"}]} |
Disable caching for datasource | {"action": "disable-cache", "resources": [{"type": "datasource"}]} |
Update datasource caching configuration | {"action": "update", "resources": [{"type": "datasource"}]} |
* resources
may also contain a third item with "type":
set to "user"
or "team"
.
{
"audit_cluster_name": "841677925608:new-m6",
"audit_node_name": "8b168deaa71e1e5da322cc20de7b812b",
"audit_request_initiating_user": "admin",
"audit_rest_request_method": "POST",
"audit_category": "AUTHENTICATED",
"audit_request_origin": "REST",
"audit_request_body": "{\"docs\":[{\"_id\":\"visualization:2edf78b0-5395-11e8-99bf-1ba7b1bdaa61\",\"_index\":\".kibana\"}]}",
"audit_node_id": "xfijqJVHS7SOD9KZVBYdcQ",
"audit_request_layer": "REST",
"audit_rest_request_path": "/_mget",
"@timestamp": "2022-08-03T07:14:18.431+00:00",
"audit_request_effective_user_is_admin": false,
"audit_format_version": 4,
"audit_request_remote_address": "24.19.168.206",
"audit_rest_request_headers": {
"Connection": [
"keep-alive"
],
"User-Agent": [
"elasticsearch-js/7.10.0-rc.1 (linux 5.4.117-58.216.amzn2.aarch64-arm64; Node.js v10.24.1)"
],
"x-opaque-id": [
"30c9fa0c-c416-44d8-841a-11e31dccb235"
],
"Host": [
"localhost:9200"
],
"x-opensearch-product-origin": [
"opensearch-dashboards"
],
"Content-Length": [
"90"
],
"Content-Type": [
"application/json"
]
},
"audit_request_effective_user": "admin"
}
@zengyan-amazon @seraphjiang Any thoughts?
Task breakdown
Research Notes
Some questions we need to answer
Logging
Data source logging will log datasource, query, time, and error, with correct logging setting and client settings in
osd.yml
Similar to what we currently have with default single opensearch cluster. It makes use of the event emitter provided by
opensearch-js
client lib, that hook into internal events, such as request and response. Doc ReferenceCurrent logging
https://github.com/opensearch-project/OpenSearch-Dashboards/blob/5fb4143b11a0a0292ca5cc96391d192a7ef643b3/src/core/server/opensearch/client/configure_client.ts#L51-L72
Auditing
Security Plugin Audit Log feature
[Proposed Solution] OSD Audit Service + Logging service
Audit
interfaces in core, and make use of the logging service to write output to file by configuring "logging -> custom appender". The audit service can get the authenticated user info, then we can enrich that with datasouce, timestamp, query, error to create single audit log line, and saved to some file on diskcore - audit service
data source plugin -> audit trail client
data source plugin -> plugin.ts