Switch to use upstream audit handler #11192
Conversation
| asgroups := "<lookup>" | ||
| requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader] | ||
| if len(requestedGroups) > 0 { | ||
| asgroups = strings.Join(requestedGroups, ", ") |
There was a problem hiding this comment.
this makes it impossible to determine whether a group name had a comma in it
There was a problem hiding this comment.
Can it? If so, how about just space?
There was a problem hiding this comment.
Updated to something like this: "'group 1', 'group 2'", according to @deads2k upstream comment.
| @@ -325,6 +325,14 @@ type AuditConfig struct { | |||
| // If this flag is set, audit log will be printed in the logs. | |||
| // The logs contains, method, user and a requested URL. | |||
| Enabled bool | |||
| // All requests coming to the apiserver will be logged to this file. | |||
| Path string | |||
There was a problem hiding this comment.
If this is a path to a file i would recommend making this AuditFilePath
| // All requests coming to the apiserver will be logged to this file. | ||
| Path string | ||
| // Maximum number of days to retain old audit log files based on the timestamp encoded in their filename. | ||
| MaxAge int |
There was a problem hiding this comment.
MaximumAuditRetention* where * is the unit. I don't think Days is appropriate, pick seconds or minutes.
There was a problem hiding this comment.
I have to stick to days for now, since the luberjack library supports just days.
| // Maximum number of days to retain old audit log files based on the timestamp encoded in their filename. | ||
| MaxAge int | ||
| // Maximum number of old audit log files to retain. | ||
| MaxBackups int |
There was a problem hiding this comment.
MaximumRetainedAuditFiles
| // Maximum number of old audit log files to retain. | ||
| MaxBackups int | ||
| // Maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB. | ||
| MaxSize int |
There was a problem hiding this comment.
MaximumAuditFileSizeMegabytes (there's an example of this somewhere else, make it consistent with ordering)
soltysh
force-pushed
the
issue11037
branch
2 times, most recently
from
03e7784
to
be3768c
Compare
|
@smarterclayton updated with one exception, I stick to days for |
|
@smarterclayton are we good to go? |
|
@smarterclayton updated |
|
API approved |
|
@sttts any objections for merging this in? |
He's out next week too. I merged the upstream pull, right? |
| @@ -325,6 +325,14 @@ type AuditConfig struct { | |||
| // If this flag is set, audit log will be printed in the logs. | |||
| // The logs contains, method, user and a requested URL. | |||
| Enabled bool | |||
| // All requests coming to the apiserver will be logged to this file. | |||
| AuditFilePath string | |||
There was a problem hiding this comment.
I don't see validation on these fields and I don't see this path listed in the list of paths for resolution.
There was a problem hiding this comment.
@deads2k what kind of validation you're thinking about? that the path field is non-empty and ints are >= 0? I don't see any value in that.
|
Need to handle backwards compatibility. Can you have it continue to come out in the old log if the filename isn't specified? |
|
@deads2k comments addressed in the last commit, ptal |
| @@ -256,6 +256,10 @@ func GetMasterFileReferences(config *MasterConfig) []*string { | |||
| refs = append(refs, &config.ControllerConfig.ServiceServingCert.Signer.KeyFile) | |||
| } | |||
|
|
|||
| if len(config.AuditConfig.AuditFilePath) > 0 { | |||
There was a problem hiding this comment.
don't think you need the len check.
There was a problem hiding this comment.
Not sure I want to have empty file name here.
There was a problem hiding this comment.
OK, I see all the places that use this are ignoring the empty file paths.
|
|
||
| if len(config.AuditFilePath) == 0 { | ||
| // for backwards compatibility reasons we can't error this out | ||
| validationResults.AddWarnings(field.Required(fldPath.Child("auditFilePath"), "")) |
There was a problem hiding this comment.
use the reason field to describe the change
| @@ -158,6 +159,17 @@ func (fn APIInstallFunc) InstallAPI(container *restful.Container) ([]string, err | |||
| return fn(container) | |||
| } | |||
|
|
|||
| // auditGlogWriter is for backwards compatibility, where audit was logged | |||
| // to regular log file, instead of separate one like it's currently available. | |||
| type auditGlogWriter struct{} | |||
There was a problem hiding this comment.
@stevekuznetsov didn't you build this before?
There was a problem hiding this comment.
I remember wrapping the glog writer somewhere ... can't remember where
There was a problem hiding this comment.
here:
Line 21 in 85eb37b
|
Minor comments and the API change looks good to me. |
|
Comments addressed. @deads2k ptal |
|
lgtm [merge] |
|
[Test]ing while waiting on the merge queue |
|
Flake #8571 [merge] |
| @@ -179,7 +182,22 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller) | |||
| handler = c.authorizationFilter(handler) | |||
| handler = c.impersonationFilter(handler) | |||
| // audit handler must comes before the impersonationFilter to read the original user | |||
| handler = c.auditHandler(handler) | |||
| if c.Options.AuditConfig.Enabled { | |||
There was a problem hiding this comment.
Kind of ugly to have this code block here. Hopefully, we are able to get rid of this in a future rebase.
There was a problem hiding this comment.
We'll be able to move it where necessary, but the option will stay forever with us ;)
| @@ -875,6 +893,23 @@ func (c *MasterConfig) getRequestContextMapper() kapi.RequestContextMapper { | |||
| return c.RequestContextMapper | |||
| } | |||
|
|
|||
| // getRequestInfoResolver returns a request resolver. | |||
| func (c *MasterConfig) getRequestInfoResolver() *apiserver.RequestInfoResolver { | |||
There was a problem hiding this comment.
This will bite us in the next rebase. Upstream genericapiserver only knows about one APIPrefix and one APIGroupPrefix. Looks like we have to turn those into lists in order to support origin's setup. /cc @deads2k
There was a problem hiding this comment.
I do hope the next rebase (I'm the lucky looser/winner) will straight this out.
There was a problem hiding this comment.
WIP PR for multiple api group prefixes in genericapiserver: kubernetes/kubernetes#35021
There was a problem hiding this comment.
Let me know when you start the master.go rebase. We have moved around so much stuff, hopefully to the better.
There was a problem hiding this comment.
I remember, we'll be in touch, definitely.
There was a problem hiding this comment.
This will bite us in the next rebase. Upstream genericapiserver only knows about one APIPrefix and one APIGroupPrefix. Looks like we have to turn those into lists in order to support origin's setup. /cc @deads2k
Those are all legacy prefixes which I just made have a list upstream: https://github.com/kubernetes/kubernetes/blob/master/pkg/genericapiserver/config.go#L175
|
Fixed the test and rebased against latest head, hopefully to have a clean merge. |
…ePath is provided
|
Fixed the remaining unit test. |
|
Evaluated for origin test up to 59e59e3 |
|
Evaluated for origin merge up to 59e59e3 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10294/) (Base Commit: 7405f17) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10459/) (Base Commit: 30bbfa2) (Image: devenv-rhel7_5221) |
Fixes #11037.
@sttts for the switch itself
@openshift/api-review for config changes