Sanitized token field for audit log (#9287)

Author: UgnineSirdis

ydb/core/audit/audit_log_impl.cpp

@@ -93,7 +93,8 @@ TString GetJsonLog(const TEvAuditLog::TEvWriteAuditLog::TPtr& ev) {
 
 TString GetJsonLogCompatibleLog(const TEvAuditLog::TEvWriteAuditLog::TPtr& ev) {
     const auto* msg = ev->Get();
-    NJsonWriter::TBuf json;
+    TStringStream ss;
+    NJsonWriter::TBuf json(NJsonWriter::HEM_DONT_ESCAPE_HTML, &ss);
     {
         auto obj = json.BeginObject();
         obj
@@ -107,7 +108,8 @@ TString GetJsonLogCompatibleLog(const TEvAuditLog::TEvWriteAuditLog::TPtr& ev) {
         }
         json.EndObject();
     }
-    return json.Str();
+    ss << Endl;
+    return ss.Str();
 }
 
 TString GetTxtLog(const TEvAuditLog::TEvWriteAuditLog::TPtr& ev) {

ydb/core/cms/console/console__replace_yaml_config.cpp

@@ -20,7 +20,7 @@ class TConfigsManager::TTxReplaceYamlConfig : public TTransactionBase<TConfigsMa
         , Config(ev->Get()->Record.GetRequest().config())
         , Peer(ev->Get()->Record.GetPeerName())
         , Sender(ev->Sender)
-        , UserSID(NACLib::TUserToken(ev->Get()->Record.GetUserToken()).GetUserSID())
+        , UserToken(ev->Get()->Record.GetUserToken())
         , Force(force)
         , AllowUnknownFields(ev->Get()->Record.GetRequest().allow_unknown_fields())
         , DryRun(ev->Get()->Record.GetRequest().dry_run())
@@ -57,7 +57,7 @@ class TConfigsManager::TTxReplaceYamlConfig : public TTransactionBase<TConfigsMa
             oldVolatileConfig.SetConfig(config);
         }
 
-        Self->Logger.DbLogData(UserSID, logData, txc, ctx);
+        Self->Logger.DbLogData(UserToken.GetUserSID(), logData, txc, ctx);
     }
 
     bool Execute(TTransactionContext &txc, const TActorContext &ctx) override
@@ -190,7 +190,8 @@ class TConfigsManager::TTxReplaceYamlConfig : public TTransactionBase<TConfigsMa
         if (!Error && Modify && !DryRun) {
             AuditLogReplaceConfigTransaction(
                 /* peer = */ Peer,
-                /* userSID = */ UserSID,
+                /* userSID = */ UserToken.GetUserSID(),
+                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
                 /* oldConfig = */ Self->YamlConfig,
                 /* newConfig = */ Config,
                 /* reason = */ {},
@@ -207,7 +208,8 @@ class TConfigsManager::TTxReplaceYamlConfig : public TTransactionBase<TConfigsMa
         } else if (Error && !DryRun) {
             AuditLogReplaceConfigTransaction(
                 /* peer = */ Peer,
-                /* userSID = */ UserSID,
+                /* userSID = */ UserToken.GetUserSID(),
+                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
                 /* oldConfig = */ Self->YamlConfig,
                 /* newConfig = */ Config,
                 /* reason = */ ErrorReason,
@@ -221,7 +223,7 @@ class TConfigsManager::TTxReplaceYamlConfig : public TTransactionBase<TConfigsMa
     const TString Config;
     const TString Peer;
     const TActorId Sender;
-    const TString UserSID;
+    const NACLib::TUserToken UserToken;
     const bool Force = false;
     const bool AllowUnknownFields = false;
     const bool DryRun = false;

ydb/core/cms/console/console_audit.cpp

@@ -8,6 +8,7 @@ namespace NKikimr::NConsole {
 void AuditLogReplaceConfigTransaction(
     const TString& peer,
     const TString& userSID,
+    const TString& sanitizedToken,
     const TString& oldConfig,
     const TString& newConfig,
     const TString& reason,
@@ -23,6 +24,7 @@ void AuditLogReplaceConfigTransaction(
         AUDIT_PART("component", COMPONENT_NAME)
         AUDIT_PART("remote_address", (!peerName.empty() ? peerName : EMPTY_VALUE))
         AUDIT_PART("subject", (!userSID.empty() ? userSID : EMPTY_VALUE))
+        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EMPTY_VALUE))
         AUDIT_PART("status", TString(success ? "SUCCESS" : "ERROR"))
         AUDIT_PART("reason", reason, !reason.empty())
         AUDIT_PART("operation", TString("REPLACE DYNCONFIG"))

ydb/core/cms/console/console_audit.h

@@ -7,6 +7,7 @@ namespace NKikimr::NConsole {
 void AuditLogReplaceConfigTransaction(
     const TString& peer,
     const TString& userSID,
+    const TString& sanitizedToken,
     const TString& oldConfig,
     const TString& newConfig,
     const TString& reason,

ydb/core/cms/console/console_configs_manager.cpp

@@ -980,6 +980,7 @@ void TConfigsManager::HandleUnauthorized(TEvConsole::TEvReplaceYamlConfigRequest
     AuditLogReplaceConfigTransaction(
         /* peer = */ ev->Get()->Record.GetPeerName(),
         /* userSID = */ ev->Get()->Record.GetUserToken(),
+        /* sanitizedToken = */ TString(),
         /* oldConfig = */ YamlConfig,
         /* newConfig = */ ev->Get()->Record.GetRequest().config(),
         /* reason = */ "Unauthorized.",
@@ -990,6 +991,7 @@ void TConfigsManager::HandleUnauthorized(TEvConsole::TEvSetYamlConfigRequest::TP
     AuditLogReplaceConfigTransaction(
         /* peer = */ ev->Get()->Record.GetPeerName(),
         /* userSID = */ ev->Get()->Record.GetUserToken(),
+        /* sanitizedToken = */ TString(),
         /* oldConfig = */ YamlConfig,
         /* newConfig = */ ev->Get()->Record.GetRequest().config(),
         /* reason = */ "Unauthorized.",

ydb/core/grpc_services/audit_dml_operations.cpp

@@ -61,9 +61,11 @@ namespace {
 
 namespace NKikimr::NGRpcService {
 
-void AuditContextStart(IAuditCtx* ctx, const TString& database, const TString& userSID, const std::vector<std::pair<TString, TString>>& databaseAttrs) {
+void AuditContextStart(IAuditCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken, const std::vector<std::pair<TString, TString>>& databaseAttrs) {
     ctx->AddAuditLogPart("remote_address", NKikimr::NAddressClassifier::ExtractAddress(ctx->GetPeerName()));
     ctx->AddAuditLogPart("subject", userSID);
+    static const TString EMPTY_VALUE = "{none}";
+    ctx->AddAuditLogPart("sanitized_token", !sanitizedToken.empty() ? sanitizedToken : EMPTY_VALUE);
     ctx->AddAuditLogPart("database", database);
     ctx->AddAuditLogPart("operation", ctx->GetRequestName());
     ctx->AddAuditLogPart("start_time", TInstant::Now().ToString());

ydb/core/grpc_services/audit_dml_operations.h

@@ -45,7 +45,7 @@ class IAuditCtx;
 // AuditContextAppend() specializations extract specific info from request (and result) protos.
 //
 
-void AuditContextStart(IAuditCtx* ctx, const TString& database, const TString& userSID, const std::vector<std::pair<TString, TString>>& databaseAttrs);
+void AuditContextStart(IAuditCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken, const std::vector<std::pair<TString, TString>>& databaseAttrs);
 void AuditContextEnd(IAuditCtx* ctx);
 
 template <class TProtoRequest>

ydb/core/grpc_services/audit_log.cpp

@@ -9,7 +9,10 @@
 namespace NKikimr {
 namespace NGRpcService {
 
-void AuditLogConn(const IRequestProxyCtx* ctx, const TString& database, const TString& userSID)
+//NOTE: EmptyValue couldn't be an empty string as AUDIT_PART() skips parts with an empty values
+static const TString EmptyValue = "{none}";
+
+void AuditLogConn(const IRequestProxyCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken)
 {
     static const TString GrpcConnComponentName = "grpc-conn";
 
@@ -18,6 +21,7 @@ void AuditLogConn(const IRequestProxyCtx* ctx, const TString& database, const TS
 
         AUDIT_PART("remote_address", NKikimr::NAddressClassifier::ExtractAddress(ctx->GetPeerName()))
         AUDIT_PART("subject", userSID)
+        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
         AUDIT_PART("database", database)
         AUDIT_PART("operation", ctx->GetRequestName())
     );
@@ -35,9 +39,6 @@ void AuditLog(ui32 status, const TAuditLogParts& parts)
 {
     static const TString GrpcProxyComponentName = "grpc-proxy";
 
-    //NOTE: EmptyValue couldn't be an empty string as AUDIT_PART() skips parts with an empty values
-    static const TString EmptyValue = "{none}";
-
     AUDIT_LOG(
         AUDIT_PART("component", GrpcProxyComponentName)
 
@@ -56,4 +57,3 @@ void AuditLog(ui32 status, const TAuditLogParts& parts)
 
 }
 }
-

ydb/core/grpc_services/audit_log.h

@@ -8,7 +8,7 @@ class IRequestProxyCtx;
 class IRequestCtxMtSafe;
 
 // grpc "connections" log
-void AuditLogConn(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID);
+void AuditLogConn(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID, const TString& sanitizedToken);
 
 using TAuditLogParts = TVector<std::pair<TString, TString>>;
 

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -179,7 +179,7 @@ class TGrpcRequestCheckActor
 
         if (AppData(ctx)->FeatureFlags.GetEnableGrpcAudit()) {
             // log info about input connection (remote address, basically)
-            AuditLogConn(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID());
+            AuditLogConn(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID(), TBase::GetSanitizedToken());
         }
 
         // Simple rps limitation
@@ -417,11 +417,11 @@ class TGrpcRequestCheckActor
         return DmlAuditEnabled_ && !DmlAuditExpectedSubjects_.contains(userSID);
     };
 
-    void AuditRequest(IRequestProxyCtx* requestBaseCtx, const TString& databaseName, const TString& userSID) const {
+    void AuditRequest(IRequestProxyCtx* requestBaseCtx, const TString& databaseName, const TString& userSID, const TString& sanitizedToken) const {
         const bool dmlAuditEnabled = requestBaseCtx->IsAuditable() && IsAuditEnabledFor(userSID);
 
         if (dmlAuditEnabled) {
-            AuditContextStart(requestBaseCtx, databaseName, userSID, Attributes_);
+            AuditContextStart(requestBaseCtx, databaseName, userSID, sanitizedToken, Attributes_);
             requestBaseCtx->SetAuditLogHook([requestBaseCtx](ui32 status, const TAuditLogParts& parts) {
                 AuditContextEnd(requestBaseCtx);
                 AuditLog(status, parts);
@@ -475,7 +475,7 @@ class TGrpcRequestCheckActor
     void HandleAndDie(TAutoPtr<TEventHandle<TEvProxyRuntimeEvent>>& event) {
         // Request audit happen after successful authentication
         // and authorization check against the database
-        AuditRequest(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID());
+        AuditRequest(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID(), TBase::GetSanitizedToken());
 
         GrpcRequestBaseCtx_->FinishSpan();
         event->Release().Release()->Pass(*this);