🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
When we enable Compliance logging with diffs ( write_log_diffs ) and disable writing metadata ( write_metadata_only ) , request body is always logged even when log_request_body is disabled and it's not the first document insert.
How can one reproduce the bug?
Launch Opensearch 2.13.0 cluster locally and enable security using the default configurations.
Additionally, set plugins.security.audit.type in opensearch.yml to log4j to see the audit logs generated easily.
Note both audit_request_body and audit_compliance_diff_content are getting logged even if log_request_body is disabled and we are updating the same document.
What is the expected behavior?audit_request_body should not be always logged for compliance audit logs when log_request_body is disabled and it's not the first document insert.
What is your host/environment?
OS: MacOS
Do you have any additional context?
We check that write_metadata_only == false and write_log_diffs == truehere before logging audit_compliance_diff_content
Whereas we only check write_metadata_only == false before logging audit_request_bodyhere
A simple fix is to also add log_request_body == true at the same place AND ensure that it's not the first time when document is being inserted.
What is the bug?
When we enable Compliance logging with diffs (
write_log_diffs
) and disable writing metadata (write_metadata_only
) , request body is always logged even whenlog_request_body
is disabled and it's not the first document insert.How can one reproduce the bug?
Launch Opensearch 2.13.0 cluster locally and enable security using the default configurations.
Additionally, set
plugins.security.audit.type
inopensearch.yml
tolog4j
to see the audit logs generated easily.Update the audit logging config as follows :
Insert a document in an index
Audit log generated will look like
Since, this is the first time inserting the doc,
audit_compliance_diff_is_noop
istrue
and it makes sense foraudit_request_body
to be logged.Audit log generated looks like
Note both
audit_request_body
andaudit_compliance_diff_content
are getting logged even iflog_request_body
is disabled and we are updating the same document.What is the expected behavior?
audit_request_body
should not be always logged for compliance audit logs whenlog_request_body
is disabled and it's not the first document insert.What is your host/environment?
Do you have any additional context? We check that
write_metadata_only == false
andwrite_log_diffs == true
here before loggingaudit_compliance_diff_content
Whereas we only check
write_metadata_only == false
before loggingaudit_request_body
hereA simple fix is to also add
log_request_body == true
at the same place AND ensure that it's not the first time when document is being inserted.