Move audit log from console to BSC/distconf in V2 (#17307)

Author: mregrock

ydb/core/blobstorage/base/blobstorage_console_events.h

@@ -79,7 +79,7 @@ namespace NKikimr {
 
         TEvControllerReplaceConfigRequest(std::optional<TString> clusterYaml, std::optional<TString> storageYaml,
                 std::optional<bool> switchDedicatedStorageSection, bool dedicatedConfigMode, bool allowUnknownFields,
-                bool bypassMetadataChecks, bool enableConfigV2, bool disableConfigV2) {
+                bool bypassMetadataChecks, bool enableConfigV2, bool disableConfigV2, TString peerName, TString userToken) {
             if (clusterYaml) {
                 Record.SetClusterYaml(*clusterYaml);
             }
@@ -97,6 +97,8 @@ namespace NKikimr {
             } else if (disableConfigV2) {
                 Record.SetSwitchEnableConfigV2(false);
             }
+            Record.SetPeerName(peerName);
+            Record.SetUserToken(userToken);
         }
 
         TString ToString() const override {

ydb/core/blobstorage/nodewarden/distconf_audit.cpp

@@ -0,0 +1,35 @@
+#include "distconf_audit.h"
+
+#include <ydb/core/audit/audit_log.h>
+#include <ydb/core/util/address_classifier.h>
+
+namespace NKikimr::NStorage {
+
+static const TString COMPONENT_NAME = "distconf";
+static const TString EMPTY_VALUE = "{none}";
+
+void AuditLogReplaceConfig(
+    const TString& peer,
+    const TString& userSID,
+    const TString& sanitizedToken,
+    const TString& oldConfig,
+    const TString& newConfig,
+    const TString& reason,
+    bool success)
+{
+    auto peerName = NKikimr::NAddressClassifier::ExtractAddress(peer);
+
+    AUDIT_LOG(
+        AUDIT_PART("component", COMPONENT_NAME)
+        AUDIT_PART("remote_address", (!peerName.empty() ? peerName : EMPTY_VALUE))
+        AUDIT_PART("subject", (!userSID.empty() ? userSID : EMPTY_VALUE))
+        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EMPTY_VALUE))
+        AUDIT_PART("status", TString(success ? "SUCCESS" : "ERROR"))
+        AUDIT_PART("reason", reason, !reason.empty())
+        AUDIT_PART("operation", TString("REPLACE CONFIG"))
+        AUDIT_PART("old_config", oldConfig)
+        AUDIT_PART("new_config", newConfig)
+    );
+}
+
+} // namespace NKikimr::NStorage

ydb/core/blobstorage/nodewarden/distconf_audit.h

@@ -0,0 +1,16 @@
+#pragma once
+
+#include <util/generic/string.h>
+
+namespace NKikimr::NStorage {
+
+void AuditLogReplaceConfig(
+    const TString& peer,
+    const TString& userSID,
+    const TString& sanitizedToken,
+    const TString& oldConfig,
+    const TString& newConfig,
+    const TString& reason,
+    bool success);
+
+} // namespace NKikimr::NStorage

ydb/core/blobstorage/nodewarden/distconf_invoke.h

@@ -121,6 +121,7 @@ namespace NKikimr::NStorage {
 
         void AdvanceGeneration();
         void StartProposition(NKikimrBlobStorage::TStorageConfig *config, bool updateFields = true);
+        bool CheckConfigUpdate(const NKikimrBlobStorage::TStorageConfig& proposed);
 
         ////////////////////////////////////////////////////////////////////////////////////////////////////////////////
         // Query termination and result delivery

ydb/core/blobstorage/nodewarden/distconf_invoke_common.cpp

@@ -1,3 +1,4 @@
+#include "distconf_audit.h"
 #include "distconf_invoke.h"
 
 namespace NKikimr::NStorage {
@@ -186,13 +187,25 @@ namespace NKikimr::NStorage {
             UpdateFingerprint(config);
         }
 
-        if (auto error = ValidateConfigUpdate(*Self->StorageConfig, *config)) {
-            STLOG(PRI_DEBUG, BS_NODE, NWDC78, "StartProposition config validation failed", (SelfId, SelfId()),
-                (Error, *error), (Config, config));
-            return FinishWithError(TResult::ERROR, TStringBuilder()
-                << "StartProposition config validation failed: " << *error);
+        if (!CheckConfigUpdate(*config)) {
+            return;
         }
 
+        const auto& replaceConfig = Event->Get()->Record.GetReplaceStorageConfig();
+        TStringBuilder oldConfig;
+        oldConfig << Self->MainConfigYaml << (Self->StorageConfigYaml ? *Self->StorageConfigYaml : "");
+        TStringBuilder newConfig;
+        newConfig << *NewYaml << (NewStorageYaml ? *NewStorageYaml : "");
+        NACLib::TUserToken userToken = NACLib::TUserToken{replaceConfig.GetUserToken()};
+        AuditLogReplaceConfig(
+            /* peer = */ replaceConfig.GetPeerName(),
+            /* userSID = */ userToken.GetUserSID(),
+            /* sanitizedToken = */ userToken.GetSanitizedToken(),
+            /* oldConfig = */ oldConfig,
+            /* newConfig = */ newConfig,
+            /* reason = */ {},
+            /* success = */ true);
+
         Self->CurrentProposedStorageConfig.emplace(std::move(*config));
 
         auto done = [&](TEvGather *res) -> std::optional<TString> {
@@ -217,6 +230,16 @@ namespace NKikimr::NStorage {
         Self->RootState = ERootState::IN_PROGRESS; // forbid any concurrent activity
     }
 
+    bool TInvokeRequestHandlerActor::CheckConfigUpdate(const NKikimrBlobStorage::TStorageConfig& proposed) {
+        if (auto error = ValidateConfigUpdate(*Self->StorageConfig, proposed)) {
+            STLOG(PRI_DEBUG, BS_NODE, NWDC78, "Config update validation failed", (SelfId, SelfId()),
+                (Error, *error), (ProposedConfig, proposed));
+            FinishWithError(TResult::ERROR, TStringBuilder() << "Config update validation failed: " << *error);
+            return false;
+        }
+        return true;
+    }
+
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////
     // Query termination and result delivery
 

ydb/core/blobstorage/nodewarden/distconf_invoke_storage_config.cpp

@@ -339,6 +339,8 @@ namespace NKikimr::NStorage {
                 record.SetOperation(NKikimrBlobStorage::TEvControllerDistconfRequest::DisableDistconf);
                 if (ProposedStorageConfig.HasExpectedStorageYamlVersion()) {
                     record.SetExpectedStorageConfigVersion(ProposedStorageConfig.GetExpectedStorageYamlVersion());
+                    record.SetPeerName(replaceStorageConfig.GetPeerName());
+                    record.SetUserToken(replaceStorageConfig.GetUserToken());
                 }
                 break;
 

ydb/core/blobstorage/nodewarden/ya.make

@@ -5,6 +5,8 @@ SRCS(
     group_stat_aggregator.h
     distconf.cpp
     distconf.h
+    distconf_audit.h
+    distconf_audit.cpp
     distconf_binding.cpp
     distconf_console.cpp
     distconf_dynamic.cpp

ydb/core/cms/console/console__replace_yaml_config.cpp

@@ -30,6 +30,7 @@ class TConfigsManager::TTxReplaceYamlConfigBase
             , AllowUnknownFields(ev->Get()->Record.GetRequest().allow_unknown_fields())
             , DryRun(ev->Get()->Record.GetRequest().dry_run())
             , IngressDatabase(ev->Get()->Record.HasIngressDatabase() ? TMaybe<TString>{ev->Get()->Record.GetIngressDatabase()} : TMaybe<TString>{})
+            , SkipAuditLog(ev->Get()->Record.GetSkipAuditLog() ? true : false)
     {
     }
 
@@ -90,6 +91,7 @@ class TConfigsManager::TTxReplaceYamlConfigBase
     TSimpleSharedPtr<NYamlConfig::TBasicUnknownFieldsCollector> UnknownFieldsCollector = nullptr;
     TMaybe<TString> IngressDatabase;
     bool WarnDatabaseBypass = false;
+    bool SkipAuditLog = false;
 };
 
 class TConfigsManager::TTxReplaceMainYamlConfig
@@ -177,14 +179,16 @@ class TConfigsManager::TTxReplaceMainYamlConfig
         ctx.Send(Response.Release());
 
         if (!Error && Modify && !DryRun) {
-            AuditLogReplaceConfigTransaction(
-                /* peer = */ Peer,
-                /* userSID = */ UserToken.GetUserSID(),
-                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
-                /* oldConfig = */ Self->MainYamlConfig,
-                /* newConfig = */ Config,
-                /* reason = */ {},
-                /* success = */ true);
+            if (!SkipAuditLog) {
+                AuditLogReplaceConfigTransaction(
+                    /* peer = */ Peer,
+                    /* userSID = */ UserToken.GetUserSID(),
+                    /* sanitizedToken = */ UserToken.GetSanitizedToken(),
+                    /* oldConfig = */ Self->MainYamlConfig,
+                    /* newConfig = */ Config,
+                    /* reason = */ {},
+                    /* success = */ true);
+            }
 
             Self->YamlVersion = Version + 1;
             Self->MainYamlConfig = UpdatedMainConfig;
@@ -195,14 +199,16 @@ class TConfigsManager::TTxReplaceMainYamlConfig
             auto resp = MakeHolder<TConfigsProvider::TEvPrivate::TEvUpdateYamlConfig>(Self->MainYamlConfig, Self->DatabaseYamlConfigs);
             ctx.Send(Self->ConfigsProvider, resp.Release());
         } else if (Error && !DryRun) {
-            AuditLogReplaceConfigTransaction(
-                /* peer = */ Peer,
-                /* userSID = */ UserToken.GetUserSID(),
-                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
-                /* oldConfig = */ Self->MainYamlConfig,
-                /* newConfig = */ Config,
-                /* reason = */ ErrorReason,
-                /* success = */ false);
+            if (!SkipAuditLog) {
+                AuditLogReplaceConfigTransaction(
+                    /* peer = */ Peer,
+                    /* userSID = */ UserToken.GetUserSID(),
+                    /* sanitizedToken = */ UserToken.GetSanitizedToken(),
+                    /* oldConfig = */ Self->MainYamlConfig,
+                    /* newConfig = */ Config,
+                    /* reason = */ ErrorReason,
+                    /* success = */ false);
+            }
         }
 
         Self->TxProcessor->TxCompleted(this, ctx);
@@ -360,15 +366,17 @@ class TConfigsManager::TTxReplaceDatabaseYamlConfig
         }
 
         if (!Error && Modify && !DryRun) {
-            AuditLogReplaceDatabaseConfigTransaction(
-                /* peer = */ Peer,
-                /* userSID = */ UserToken.GetUserSID(),
-                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
-                /* database =  */ TargetDatabase,
-                /* oldConfig = */ oldConfig,
-                /* newConfig = */ Config,
-                /* reason = */ {},
-                /* success = */ true);
+            if (!SkipAuditLog) {
+                AuditLogReplaceDatabaseConfigTransaction(
+                    /* peer = */ Peer,
+                    /* userSID = */ UserToken.GetUserSID(),
+                    /* sanitizedToken = */ UserToken.GetSanitizedToken(),
+                    /* database =  */ TargetDatabase,
+                    /* oldConfig = */ oldConfig,
+                    /* newConfig = */ Config,
+                    /* reason = */ {},
+                    /* success = */ true);
+            }
 
             Self->DatabaseYamlConfigs[TargetDatabase] = TDatabaseYamlConfig {
                 .Config = UpdatedDatabaseConfig,
@@ -383,15 +391,17 @@ class TConfigsManager::TTxReplaceDatabaseYamlConfig
 
             ctx.Send(Self->ConfigsProvider, resp.Release());
         } else if (Error && !DryRun) {
-            AuditLogReplaceDatabaseConfigTransaction(
-                /* peer = */ Peer,
-                /* userSID = */ UserToken.GetUserSID(),
-                /* sanitizedToken = */ UserToken.GetSanitizedToken(),
-                /* database =  */ TargetDatabase,
-                /* oldConfig = */ oldConfig,
-                /* newConfig = */ Config,
-                /* reason = */ ErrorReason,
-                /* success = */ false);
+            if (!SkipAuditLog) {
+                AuditLogReplaceDatabaseConfigTransaction(
+                    /* peer = */ Peer,
+                    /* userSID = */ UserToken.GetUserSID(),
+                    /* sanitizedToken = */ UserToken.GetSanitizedToken(),
+                    /* database =  */ TargetDatabase,
+                    /* oldConfig = */ oldConfig,
+                    /* newConfig = */ Config,
+                    /* reason = */ ErrorReason,
+                    /* success = */ false);
+            }
         }
 
         Self->TxProcessor->TxCompleted(this, ctx);

ydb/core/cms/console/console_handshake.cpp

@@ -30,6 +30,7 @@ class TConfigsManager::TConsoleCommitActor : public TActorBootstrapped<TConsoleC
     void Bootstrap(const TActorId& consoleId) {
         auto request = std::make_unique<TEvConsole::TEvSetYamlConfigRequest>();
         request->Record.SetBypassAuth(true);
+        request->Record.SetSkipAuditLog(true);
         request->Record.MutableRequest()->set_config(MainYamlConfig);
         request->Record.MutableRequest()->set_allow_unknown_fields(true);
         Send(consoleId, request.release());

ydb/core/grpc_services/rpc_config.cpp

@@ -201,6 +201,8 @@ class TReplaceStorageConfigRequest : public TBSConfigRequestGrpc<TReplaceStorage
             cmd->SetSwitchDedicatedStorageSection(*shim.SwitchDedicatedStorageSection);
         }
         cmd->SetDedicatedStorageSectionConfigMode(shim.DedicatedConfigMode);
+        cmd->SetUserToken(Request_->GetSerializedToken());
+        cmd->SetPeerName(Request_->GetPeerName());
     }
 
     void FillDistconfResult(NKikimrBlobStorage::TEvNodeConfigInvokeOnRootResult& /*record*/,
@@ -236,7 +238,9 @@ class TReplaceStorageConfigRequest : public TBSConfigRequestGrpc<TReplaceStorage
             request->allow_unknown_fields() || request->bypass_checks(),
             request->bypass_checks(),
             /*enableConfigV2=*/ ff.GetSwitchToConfigV2(),
-            /*disableConfigV2=*/ ff.GetSwitchToConfigV1());
+            /*disableConfigV2=*/ ff.GetSwitchToConfigV1(),
+            Request_->GetPeerName(),
+            Request_->GetSerializedToken());
     }
 
 private: