Handle streaming request body in audit log #127798
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException`. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
|
Pinging @elastic/es-security (Team:Security) |
|
Hi @DaveCTurner, I've created a changelog YAML for you. |
ywangd
reviewed
May 7, 2025
| @@ -27,6 +27,9 @@ public class AuditUtil { | |||
|
|
|||
| public static String restRequestContent(RestRequest request) { | |||
| if (request.hasContent()) { | |||
| if (request.isStreamedContent()) { | |||
| return "Request body had not been received at the time of the audit event"; | |||
There was a problem hiding this comment.
Do we want to eventually support this use case? If not, can we provide more details here? Something like
Audit logging with request body is not supported when the request is streamed. To disable request streaming, set [rest.incremental_bulk] to [false].
What do you think?
There was a problem hiding this comment.
Yes I think eventually we'll need this for streaming requests (because eventually we will be handling all requests as streaming). It's not reasonable to log an arbitrarily-large body in a single audit event tho, instead we will need to record each chunk in the audit log as they arrive.
There was a problem hiding this comment.
Also note that today because of how we try and log the whole body in a single message we end up truncating it anyway after a few kiB even with rest.incremental_bulk: true.
There was a problem hiding this comment.
Thanks for explaining. The fix here is certainly a lot better than throwing ClassCastException. But we may still want to create an issue to say a future fix is pending?
we end up truncating it anyway after a few kiB
IIRC, we don't truncate audit logs. At least payloads of a few hundred KB are fully logged.
There was a problem hiding this comment.
I started a design doc and opened ES-11760
There was a problem hiding this comment.
IIRC, we don't truncate audit logs
You're right, TIL. And yet we seem to truncate other logs messages emitted by Log4J. I wonder why (but not hard enough to go digging further).
DaveCTurner
added a commit
to DaveCTurner/elasticsearch
that referenced
this pull request
May 7, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
DaveCTurner
added a commit
to DaveCTurner/elasticsearch
that referenced
this pull request
May 7, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
DaveCTurner
added a commit
to DaveCTurner/elasticsearch
that referenced
this pull request
May 7, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
💔 Backport failed
You can use sqren/backport to manually backport by running |
DaveCTurner
added a commit
to DaveCTurner/elasticsearch
that referenced
this pull request
May 7, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry. Backport of elastic#127798 to `8.17`
|
8.17 backport is #127843 |
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 7, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 7, 2025
* Handle streaming request body in audit log The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry. Backport of #127798 to `8.17` * Enable incremental bulks in AuditIT
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 8, 2025
* Handle streaming request body in audit log (#127798) The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry. * Enable incremental bulks in AuditIT
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 8, 2025
* Handle streaming request body in audit log (#127798) The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry. * Enable incremental bulks in AuditIT
ywangd
pushed a commit
to ywangd/elasticsearch
that referenced
this pull request
May 9, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
afoucret
pushed a commit
to afoucret/elasticsearch
that referenced
this pull request
May 9, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
jfreden
pushed a commit
to jfreden/elasticsearch
that referenced
this pull request
May 12, 2025
The audit event for a successfully-authenticated REST request occurs when we start to process the request. For APIs that accept a streaming request body this means we have received the request headers, but not its body, at the time of the audit event. Today such requests will fail with a `ClassCastException` if the `emit_request_body` flag is set. This change fixes the handling of streaming requests in the audit log to now report that the request body was not available when writing the audit entry.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The audit event for a successfully-authenticated REST request occurs
when we start to process the request. For APIs that accept a streaming
request body this means we have received the request headers, but not
its body, at the time of the audit event. Today such requests will fail
with a
ClassCastExceptionif theemit_request_bodyflag is set. Thischange fixes the handling of streaming requests in the audit log to now
report that the request body was not available when writing the audit
entry.