diff --git a/processing/src/main/java/org/apache/druid/audit/AuditManager.java b/processing/src/main/java/org/apache/druid/audit/AuditManager.java index 95d81dd49a0b..3ab126e93373 100644 --- a/processing/src/main/java/org/apache/druid/audit/AuditManager.java +++ b/processing/src/main/java/org/apache/druid/audit/AuditManager.java @@ -32,20 +32,6 @@ public interface AuditManager String X_DRUID_AUTHOR = "X-Druid-Author"; String X_DRUID_COMMENT = "X-Druid-Comment"; - /** - * Value of header {@link #X_DRUID_AUTHOR} used by Druid services so that they - * can be distinguished from external requests. - */ - String AUTHOR_DRUID_SYSTEM = "druid_system"; - - /** - * @return true if the audited event was initiated by the Druid system itself. - */ - default boolean isSystemRequest(AuditInfo auditInfo) - { - return AUTHOR_DRUID_SYSTEM.equals(auditInfo.getAuthor()); - } - void doAudit(AuditEntry event); /** diff --git a/server/src/main/java/org/apache/druid/rpc/indexing/OverlordClientImpl.java b/server/src/main/java/org/apache/druid/rpc/indexing/OverlordClientImpl.java index 676848f9961e..d7fab4b75fa2 100644 --- a/server/src/main/java/org/apache/druid/rpc/indexing/OverlordClientImpl.java +++ b/server/src/main/java/org/apache/druid/rpc/indexing/OverlordClientImpl.java @@ -24,7 +24,6 @@ import com.google.common.base.Preconditions; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; -import org.apache.druid.audit.AuditManager; import org.apache.druid.client.JsonParserIterator; import org.apache.druid.client.indexing.IndexingTotalWorkerCapacityInfo; import org.apache.druid.client.indexing.IndexingWorkerInfo; @@ -97,8 +96,7 @@ public ListenableFuture runTask(final String taskId, final Object taskObje return FutureUtils.transform( client.asyncRequest( new RequestBuilder(HttpMethod.POST, "/druid/indexer/v1/task") - .jsonContent(jsonMapper, taskObject) - .header(AuditManager.X_DRUID_AUTHOR, AuditManager.AUTHOR_DRUID_SYSTEM), + .jsonContent(jsonMapper, taskObject), new BytesFullResponseHandler() ), holder -> { diff --git a/server/src/main/java/org/apache/druid/server/audit/AuditSerdeHelper.java b/server/src/main/java/org/apache/druid/server/audit/AuditSerdeHelper.java index 1450de66e30f..385811d055ce 100644 --- a/server/src/main/java/org/apache/druid/server/audit/AuditSerdeHelper.java +++ b/server/src/main/java/org/apache/druid/server/audit/AuditSerdeHelper.java @@ -26,6 +26,7 @@ import org.apache.druid.guice.annotations.JsonNonNull; import org.apache.druid.java.util.common.StringUtils; import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.server.security.Escalator; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -50,11 +51,13 @@ public class AuditSerdeHelper private final ObjectMapper jsonMapper; private final ObjectMapper jsonMapperSkipNulls; + private final String systemIdentity; private final AuditManagerConfig config; @Inject public AuditSerdeHelper( AuditManagerConfig config, + Escalator escalator, @Json ObjectMapper jsonMapper, @JsonNonNull ObjectMapper jsonMapperSkipNulls ) @@ -62,6 +65,21 @@ public AuditSerdeHelper( this.config = config; this.jsonMapper = jsonMapper; this.jsonMapperSkipNulls = jsonMapperSkipNulls; + this.systemIdentity = escalator == null + ? null : escalator.createEscalatedAuthenticationResult().getIdentity(); + } + + /** + * Checks if the given audit event needs to be handled. + * + * @return true only if the event was not initiated by the Druid system OR if + * system requests should be audited too. + */ + public boolean shouldProcessAuditEntry(AuditEntry entry) + { + final boolean isSystemRequest = systemIdentity != null + && systemIdentity.equals(entry.getAuditInfo().getIdentity()); + return config.isAuditSystemRequests() || !isSystemRequest; } /** diff --git a/server/src/main/java/org/apache/druid/server/audit/LoggingAuditManager.java b/server/src/main/java/org/apache/druid/server/audit/LoggingAuditManager.java index 68840d7a3ca0..65d3427b8ff5 100644 --- a/server/src/main/java/org/apache/druid/server/audit/LoggingAuditManager.java +++ b/server/src/main/java/org/apache/druid/server/audit/LoggingAuditManager.java @@ -56,7 +56,7 @@ public LoggingAuditManager( @Override public void doAudit(AuditEntry entry) { - if (managerConfig.isAuditSystemRequests() || !isSystemRequest(entry.getAuditInfo())) { + if (serdeHelper.shouldProcessAuditEntry(entry)) { auditLogger.log(serdeHelper.processAuditEntry(entry)); } } diff --git a/server/src/main/java/org/apache/druid/server/audit/SQLAuditManager.java b/server/src/main/java/org/apache/druid/server/audit/SQLAuditManager.java index cabbfb9251b6..13c4f167e098 100644 --- a/server/src/main/java/org/apache/druid/server/audit/SQLAuditManager.java +++ b/server/src/main/java/org/apache/druid/server/audit/SQLAuditManager.java @@ -136,7 +136,7 @@ private ServiceMetricEvent.Builder createMetricEventBuilder(AuditEntry entry) @Override public void doAudit(AuditEntry event, Handle handle) throws IOException { - if (isSystemRequest(event.getAuditInfo()) && !config.isAuditSystemRequests()) { + if (!serdeHelper.shouldProcessAuditEntry(event)) { return; } diff --git a/server/src/test/java/org/apache/druid/metadata/SQLMetadataRuleManagerTest.java b/server/src/test/java/org/apache/druid/metadata/SQLMetadataRuleManagerTest.java index 17442cf2ca04..f1b7855e3d1f 100644 --- a/server/src/test/java/org/apache/druid/metadata/SQLMetadataRuleManagerTest.java +++ b/server/src/test/java/org/apache/druid/metadata/SQLMetadataRuleManagerTest.java @@ -75,7 +75,7 @@ public void setUp() final SQLAuditManagerConfig auditManagerConfig = new SQLAuditManagerConfig(null, null, null, null, null); auditManager = new SQLAuditManager( auditManagerConfig, - new AuditSerdeHelper(auditManagerConfig, mapper, mapper), + new AuditSerdeHelper(auditManagerConfig, null, mapper, mapper), connector, Suppliers.ofInstance(tablesConfig), new NoopServiceEmitter(), diff --git a/server/src/test/java/org/apache/druid/server/audit/SQLAuditManagerTest.java b/server/src/test/java/org/apache/druid/server/audit/SQLAuditManagerTest.java index 8e15aa4e2ce0..a12722088159 100644 --- a/server/src/test/java/org/apache/druid/server/audit/SQLAuditManagerTest.java +++ b/server/src/test/java/org/apache/druid/server/audit/SQLAuditManagerTest.java @@ -73,7 +73,7 @@ private SQLAuditManager createAuditManager(SQLAuditManagerConfig config) { return new SQLAuditManager( config, - new AuditSerdeHelper(config, mapper, mapperSkipNull), + new AuditSerdeHelper(config, null, mapper, mapperSkipNull), connector, derbyConnectorRule.metadataTablesConfigSupplier(), serviceEmitter,