Allow audit config PUT when document does not exist#6158
Allow audit config PUT when document does not exist#6158terryquigleysas wants to merge 2 commits into
Conversation
Signed-off-by: Terry Quigley <terry.quigley@sas.com>
PR Reviewer Guide 🔍(Review updated until commit 85cdad3)Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Latest suggestions up to 85cdad3
Previous suggestionsSuggestions up to commit 6c61bfc
|
The isAuditHotReloadingEnabled() check was never an authorization gate. It's a feature availability gate — "does the audit config doc exist in the index?" The actual authentication and |
A note on what isAuditHotReloadingEnabled() checks. It returns false specifically when the audit config document doesn't exist (via ConfigurationLoaderSecurity7.noData() → isAuditConfigDocPresentInIndex.set(false)). There is no separate "document existence" check to use — this is the document-existence check. The method name is somewhat misleading, but the semantics appear to be correct. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6158 +/- ##
==========================================
+ Coverage 74.98% 75.02% +0.03%
==========================================
Files 452 452
Lines 29108 29111 +3
Branches 4382 4382
==========================================
+ Hits 21827 21840 +13
+ Misses 5253 5242 -11
- Partials 2028 2029 +1
🚀 New features to boost your workflow:
|
|
Persistent review updated to latest commit 85cdad3 |
| .onChangeRequest( | ||
| RestRequest.Method.PUT, | ||
| request -> withEnabledAuditApi(request).map(ignore -> processPutRequest("config", request)) | ||
| request -> withCreateOrUpdateAuditApi(request).map(ignore -> processPutRequest("config", request)) |
There was a problem hiding this comment.
Is it worth getting rid of withEnabledAuditApi entirely?
I see that there's this block which checks for doc existing in .opendistro_security.
I agree that hot reload being disabled should be intentional and not proxied by checking for the auditlog entry in the security index.
|
@cwperks As discussed in the SIG call, this may require more work. I will need to park it for now and revisit at a later time as I will be out of the office again for an extended period. |
Description
Previously, all Audit Log REST API operations (GET, PUT, PATCH) were blocked when no audit.yml was deployed at initial cluster creation. This created a chicken-and-egg problem where operators could not bootstrap the audit configuration via the API.
PUT now uses a new withCreateOrUpdateAuditApi() validation that allows bootstrapping when the document is absent and normal updates when it exists. GET and PATCH remain gated behind the existing check.
If audit.yml is not deployed at initial cluster creation then none of the Audit Log REST API calls (GET,PUT,PATCH) will work.
Issues Resolved
Resolves #5862
Testing
New supporting tests added.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.