From 1902a333aed624a2248a55a4723232909c39155e Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 28 Jan 2019 15:03:45 -0500 Subject: [PATCH] Rework audit on unix socket Capture root in audit and be consistent about audit skipping between socket and http. --- confluent_server/confluent/sockapi.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py index a4615fc3..fa5d2499 100644 --- a/confluent_server/confluent/sockapi.py +++ b/confluent_server/confluent/sockapi.py @@ -75,6 +75,14 @@ except ImportError: plainsocket = None +def _should_authlog(path, operation): + if (operation == 'retrieve' and + ('/sensors/' in path or '/health/' in path or + '/power/state' in path or '/nodes/' == path or + (path.startswith('/noderange/') and path.endswith('/nodes/')))): + return False + return True + class ClientConsole(object): def __init__(self, client): self.client = client @@ -194,12 +202,12 @@ def process_request(connection, request, cfm, authdata, authname, skipauth): path = request['path'] params = request.get('parameters', {}) hdlr = None + auditmsg = { + 'operation': operation, + 'target': path, + } if not skipauth: authdata = auth.authorize(authdata[2], path, authdata[3], operation) - auditmsg = { - 'operation': operation, - 'target': path, - } if authdata is None: auditmsg['allowed'] = False auditlog.log(auditmsg) @@ -207,7 +215,8 @@ def process_request(connection, request, cfm, authdata, authname, skipauth): auditmsg['user'] = authdata[2] if authdata[3] is not None: auditmsg['tenant'] = authdata[3] - auditmsg['allowed'] = True + auditmsg['allowed'] = True + if _should_authlog(path, operation): auditlog.log(auditmsg) try: if operation == 'start':