Add asgroups to audit log

This commit is contained in:
Maciej Szulik
2016-10-03 15:09:52 +02:00
parent 158dc1a863
commit 9cc2a0454d
2 changed files with 15 additions and 4 deletions

View File

@@ -22,11 +22,13 @@ import (
"io"
"net"
"net/http"
"strings"
"time"
"github.com/golang/glog"
"github.com/pborman/uuid"
authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
utilnet "k8s.io/kubernetes/pkg/util/net"
)
@@ -94,18 +96,27 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out
internalError(w, req, err)
return
}
asuser := req.Header.Get("Impersonate-User")
asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
if len(asuser) == 0 {
asuser = "<self>"
}
asgroups := "<lookup>"
requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader]
if len(requestedGroups) > 0 {
quotedGroups := make([]string, len(requestedGroups))
for i, group := range requestedGroups {
quotedGroups[i] = fmt.Sprintf("%q", group)
}
asgroups = strings.Join(quotedGroups, ", ")
}
namespace := attribs.GetNamespace()
if len(namespace) == 0 {
namespace = "<none>"
}
id := uuid.NewRandom().String()
line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q namespace=%q uri=%q\n",
time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, namespace, req.URL)
line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q asgroups=%q namespace=%q uri=%q\n",
time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, asgroups, namespace, req.URL)
if _, err := fmt.Fprint(out, line); err != nil {
glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
}

View File

@@ -86,7 +86,7 @@ func TestAudit(t *testing.T) {
if len(line) != 2 {
t.Fatalf("Unexpected amount of lines in audit log: %d", len(line))
}
match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="<self>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
if err != nil {
t.Errorf("Unexpected error matching first line: %v", err)
}