root
/
kafka
mirror of https://github.com/apache/kafka.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

KAFKA-5750; Elevate log messages for denials to INFO in SimpleAclAuthorizer 

Author: Manikumar Reddy <manikumar.reddy@gmail.com>

Reviewers: Ismael Juma <ismael@juma.me.uk>

Closes #3698 from omkreddy/KAFKA-5750
This commit is contained in:
Manikumar Reddy 2017-09-27 16:34:20 +01:00 committed by Ismael Juma
parent 5b943ca8a9
commit 8dfdcfd02c
3 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/log4j.properties
View File

@ -86,7 +86,7 @@ log4j.additivity.kafka.log.LogCleaner=false
log4j.logger.state.change.logger=TRACE, stateChangeAppender
log4j.additivity.state.change.logger=false
# Change to DEBUG to enable audit log for the authorizer
log4j.logger.kafka.authorizer.logger=WARN, authorizerAppender
# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
log4j.additivity.kafka.authorizer.logger=false

9
core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
View File

@ -246,8 +246,13 @@ class SimpleAclAuthorizer extends Authorizer with Logging {
}
private def logAuditMessage(principal: KafkaPrincipal, authorized: Boolean, operation: Operation, resource: Resource, host: String) {
val permissionType = if (authorized) "Allowed" else "Denied"
authorizerLogger.debug(s"Principal = $principal is $permissionType Operation = $operation from host = $host on resource = $resource")
def logMessage: String = {
val authResult = if (authorized) "Allowed" else "Denied"
s"Principal = $principal is $authResult Operation = $operation from host = $host on resource = $resource"
}
if (authorized) authorizerLogger.debug(logMessage)
else authorizerLogger.info(logMessage)
}
/**

1
docs/upgrade.html
View File

@ -67,6 +67,7 @@
A stub implementation has been retained for binary compatibility.</li>
<li>The Java clients and tools now accept any string as a client-id.</li>
<li>The deprecated tool <code>kafka-consumer-offset-checker.sh</code> has been removed. Use <code>kafka-consumer-groups.sh</code> to get consumer group details.</li>
<li>SimpleAclAuthorizer now logs access denials to the authorizer log by default.</li>
</ul>
<h5><a id="upgrade_100_new_protocols" href="#upgrade_100_new_protocols">New Protocol Versions</a></h5>