[
https://issues.apache.org/jira/browse/CASSANDRA-12151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466440#comment-16466440
]
Per Otterström commented on CASSANDRA-12151:
--------------------------------------------
I've been following this ticket with some interest. Spent some time to review
the patch, didn't try things out yet.
When using logback as backend, would it make sense to mark audit records with a
specific appender name such as "AUDIT" rather than "FileAuditLoggerAppender".
That way we can easily tell regular log messages from audit log messages.
Having audit include/exclude filters in the yaml file seem a bit impractical
when you want to update it. I believe there are quite a few similarities with
the permissions-on-resources model in Cassandra. Would it not make sense to
maintain audit whitelist permissions next to all other permissions in
Cassandra? Example "GRANT NOAUDIT ON KEYSPACE myks TO myuser". I've been
experimenting with a similar approach (storing white-lists in the role option
field) in our internal audit log plugin and it looks promising.
On a similar topic, rather than creating the AuditLogEntryCategory type, the
mapping in AuditLogEntryType and the kespace/scope of (I)AuditLogContext, would
it make sense to use the existing Permission type (SELECT, MODIFY, CREATE...)
and IResource (Data, Role, Function...). We could create a new resource type to
represent Connections (like connection/native, connection/thrift,
connection/jmx) which could be used for managing white-lists for authentication.
Why always mute audit logs for the system keyspaces? IMO, we should make less
assumptions on the use cases and let this be configurable like all other
keyspaces.
The AuditLogManager contain a few redundant null checks and
isAuditintEnabled()-checks.
The BinLogAuditLogger declare "LoggerFactory.getLogger(FullQueryLogger.class)"
> Audit logging for database activity
> -----------------------------------
>
> Key: CASSANDRA-12151
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12151
> Project: Cassandra
> Issue Type: New Feature
> Reporter: stefan setyadi
> Assignee: Vinay Chella
> Priority: Major
> Fix For: 4.x
>
> Attachments: 12151.txt, CASSANDRA_12151-benchmark.html,
> DesignProposal_AuditingFeature_ApacheCassandra_v1.docx
>
>
> we would like a way to enable cassandra to log database activity being done
> on our server.
> It should show username, remote address, timestamp, action type, keyspace,
> column family, and the query statement.
> it should also be able to log connection attempt and changes to the
> user/roles.
> I was thinking of making a new keyspace and insert an entry for every
> activity that occurs.
> Then It would be possible to query for specific activity or a query targeting
> a specific keyspace and column family.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
