Beibei Zhao created KAFKA-14605: ----------------------------------- Summary: Change the log level to warn when logIfAllowed is set. Key: KAFKA-14605 URL: https://issues.apache.org/jira/browse/KAFKA-14605 Project: Kafka Issue Type: Improvement Reporter: Beibei Zhao
StandardAuthorizer log at INFO level when logIfDenied is set(otherwise, we log at TRACE), but at debug level when logIfAllowed is set. Since audit log is security log, it should be logged at default verbosity level, not debug or trace when logIfAllowed is set. So I think, log at INFO when allow, and log at WARN when deny is better. {code:java} private void logAuditMessage( ...... ) { switch (rule.result()) { case ALLOWED: if (action.logIfAllowed() && auditLog.isDebugEnabled()) { auditLog.debug(......); // info } else if (auditLog.isTraceEnabled()) { auditLog.trace(buildAuditMessage(principal, requestContext, action, rule)); } return; case DENIED: if (action.logIfDenied()) { auditLog.info(......); // warn } else if (auditLog.isTraceEnabled()) { auditLog.trace(buildAuditMessage(principal, requestContext, action, rule)); } } } {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)