You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Beibei Zhao (Jira)" <ji...@apache.org> on 2023/01/07 15:11:00 UTC

[jira] [Created] (KAFKA-14605) Change the log level to warn when logIfAllowed is set.

Beibei Zhao created KAFKA-14605:
-----------------------------------

             Summary: Change the log level to warn when logIfAllowed is set.
                 Key: KAFKA-14605
                 URL: https://issues.apache.org/jira/browse/KAFKA-14605
             Project: Kafka
          Issue Type: Improvement
            Reporter: Beibei Zhao


StandardAuthorizer log at INFO level when logIfDenied is set(otherwise, we log at TRACE), but at debug level when logIfAllowed is set.
Since audit log is security log, it should be logged at default verbosity level, not debug or trace when logIfAllowed is set.
So I think, log at INFO when allow, and log at WARN when deny is better.

{code:java}
    private void logAuditMessage(
        ...... ) {
        switch (rule.result()) {
            case ALLOWED:
                if (action.logIfAllowed() && auditLog.isDebugEnabled()) {
                    auditLog.debug(......); // info
                } else if (auditLog.isTraceEnabled()) {
                    auditLog.trace(buildAuditMessage(principal, requestContext, action, rule));
                }
                return;

            case DENIED:
                if (action.logIfDenied()) {
                    auditLog.info(......); // warn
                } else if (auditLog.isTraceEnabled()) {
                    auditLog.trace(buildAuditMessage(principal, requestContext, action, rule));
                }
        }
    }
{code}




--
This message was sent by Atlassian Jira
(v8.20.10#820010)