kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ij...@apache.org
Subject kafka git commit: KAFKA-5750; Elevate log messages for denials to INFO in SimpleAclAuthorizer [Forced Update!]
Date Wed, 27 Sep 2017 15:39:39 GMT
Repository: kafka
Updated Branches:
  refs/heads/trunk 25402bfa4 -> 8dfdcfd02 (forced update)


KAFKA-5750; Elevate log messages for denials to INFO in SimpleAclAuthorizer

Author: Manikumar Reddy <manikumar.reddy@gmail.com>

Reviewers: Ismael Juma <ismael@juma.me.uk>

Closes #3698 from omkreddy/KAFKA-5750


Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/8dfdcfd0
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/8dfdcfd0
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/8dfdcfd0

Branch: refs/heads/trunk
Commit: 8dfdcfd02c72b3c37ae50ec4da8b76f4a31e45e0
Parents: 5b943ca
Author: Manikumar Reddy <manikumar.reddy@gmail.com>
Authored: Wed Sep 27 16:34:20 2017 +0100
Committer: Ismael Juma <ismael@juma.me.uk>
Committed: Wed Sep 27 16:39:12 2017 +0100

----------------------------------------------------------------------
 config/log4j.properties                                     | 4 ++--
 .../scala/kafka/security/auth/SimpleAclAuthorizer.scala     | 9 +++++++--
 docs/upgrade.html                                           | 1 +
 3 files changed, 10 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kafka/blob/8dfdcfd0/config/log4j.properties
----------------------------------------------------------------------
diff --git a/config/log4j.properties b/config/log4j.properties
index 0a1ec4f..3ff3f9e 100644
--- a/config/log4j.properties
+++ b/config/log4j.properties
@@ -86,7 +86,7 @@ log4j.additivity.kafka.log.LogCleaner=false
 log4j.logger.state.change.logger=TRACE, stateChangeAppender
 log4j.additivity.state.change.logger=false
 
-# Change to DEBUG to enable audit log for the authorizer
-log4j.logger.kafka.authorizer.logger=WARN, authorizerAppender
+# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
+log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
 log4j.additivity.kafka.authorizer.logger=false
 

http://git-wip-us.apache.org/repos/asf/kafka/blob/8dfdcfd0/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
index 6218a2c..3c949648 100644
--- a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
+++ b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
@@ -246,8 +246,13 @@ class SimpleAclAuthorizer extends Authorizer with Logging {
   }
 
   private def logAuditMessage(principal: KafkaPrincipal, authorized: Boolean, operation:
Operation, resource: Resource, host: String) {
-    val permissionType = if (authorized) "Allowed" else "Denied"
-    authorizerLogger.debug(s"Principal = $principal is $permissionType Operation = $operation
from host = $host on resource = $resource")
+    def logMessage: String = {
+      val authResult = if (authorized) "Allowed" else "Denied"
+      s"Principal = $principal is $authResult Operation = $operation from host = $host on
resource = $resource"
+    }
+
+    if (authorized) authorizerLogger.debug(logMessage)
+    else authorizerLogger.info(logMessage)
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/kafka/blob/8dfdcfd0/docs/upgrade.html
----------------------------------------------------------------------
diff --git a/docs/upgrade.html b/docs/upgrade.html
index d265bc9..344ef2e 100644
--- a/docs/upgrade.html
+++ b/docs/upgrade.html
@@ -67,6 +67,7 @@
         A stub implementation has been retained for binary compatibility.</li>
     <li>The Java clients and tools now accept any string as a client-id.</li>
     <li>The deprecated tool <code>kafka-consumer-offset-checker.sh</code>
has been removed. Use <code>kafka-consumer-groups.sh</code> to get consumer group
details.</li>
+    <li>SimpleAclAuthorizer now logs access denials to the authorizer log by default.</li>
 </ul>
 
 <h5><a id="upgrade_100_new_protocols" href="#upgrade_100_new_protocols">New Protocol
Versions</a></h5>


Mime
View raw message