You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2023/01/11 06:55:01 UTC

[GitHub] [kafka] ijuma commented on a diff in pull request #13090: KAFKA-14605 Change the log level to info when logIfAllowed is set, warn when logIfDenied is set.

ijuma commented on code in PR #13090:
URL: https://github.com/apache/kafka/pull/13090#discussion_r1066631471


##########
metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java:
##########
@@ -329,7 +329,7 @@ private void logAuditMessage(
                 // authorized operations or a filter (e.g for regex subscriptions) to filter out authorized resources.
                 // In this case, log only at trace level.
                 if (action.logIfDenied()) {
-                    auditLog.info(buildAuditMessage(principal, requestContext, action, rule));
+                    auditLog.warn(buildAuditMessage(principal, requestContext, action, rule));

Review Comment:
   The `AclAuthorizer` (as shown below) has the same implementation. This is long-standing behavior and there would have to be a strong reason to change it at this point.
   
   >     if (authorized) {
   >       // logIfAllowed is true if access is granted to the resource as a result of this authorization.
   >       // In this case, log at debug level. If false, no access is actually granted, the result is used
   >       // only to determine authorized operations. So log only at trace level.
   >       if (action.logIfAllowed)
   >         authorizerLogger.debug(logMessage)
   >       else
   >         authorizerLogger.trace(logMessage)
   >     } else {
   >       // logIfDenied is true if access to the resource was explicitly requested. Since this is an attempt
   >       // to access unauthorized resources, log at info level. If false, this is either a request to determine
   >       // authorized operations or a filter (e.g for regex subscriptions) to filter out authorized resources.
   >       // In this case, log only at trace level.
   >       if (action.logIfDenied)
   >         authorizerLogger.info(logMessage)
   >       else
   >         authorizerLogger.trace(logMessage)
   >     }



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org