Rework audit on unix socket

Capture root in audit and be consistent about audit skipping between socket and http.
2024-11-22 17:43:14 +00:00 · 2019-01-28 15:03:45 -05:00 · 2019-01-28 15:03:45 -05:00 · 1902a333ae
commit 1902a333ae
parent f6c46ddcb8
1 changed files with 14 additions and 5 deletions
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@ -75,6 +75,14 @@ except ImportError:

 plainsocket = None

+def _should_authlog(path, operation):
+    if (operation == 'retrieve' and
+            ('/sensors/' in path or '/health/' in path or
+             '/power/state' in path or '/nodes/' == path or
+             (path.startswith('/noderange/') and path.endswith('/nodes/')))):
+        return False
+    return True
+
 class ClientConsole(object):
    def __init__(self, client):
        self.client = client
@ -194,12 +202,12 @@ def process_request(connection, request, cfm, authdata, authname, skipauth):
    path = request['path']
    params = request.get('parameters', {})
    hdlr = None
+    auditmsg = {
+        'operation': operation,
+        'target': path,
+    }
    if not skipauth:
        authdata = auth.authorize(authdata[2], path, authdata[3], operation)
-        auditmsg = {
-            'operation': operation,
-            'target': path,
-        }
        if authdata is None:
            auditmsg['allowed'] = False
            auditlog.log(auditmsg)
@ -207,7 +215,8 @@ def process_request(connection, request, cfm, authdata, authname, skipauth):
        auditmsg['user'] = authdata[2]
        if authdata[3] is not None:
            auditmsg['tenant'] = authdata[3]
-        auditmsg['allowed'] = True
+    auditmsg['allowed'] = True
+    if _should_authlog(path, operation):
        auditlog.log(auditmsg)
    try:
        if operation == 'start':