[jira] [Created] (KAFKA-14605) Change the log level to warn when logIfAllowed is set.

Beibei Zhao (Jira) Sat, 07 Jan 2023 07:11:09 -0800

Beibei Zhao created KAFKA-14605:
-----------------------------------

             Summary: Change the log level to warn when logIfAllowed is set.
                 Key: KAFKA-14605
                 URL: https://issues.apache.org/jira/browse/KAFKA-14605
             Project: Kafka
          Issue Type: Improvement
            Reporter: Beibei Zhao



StandardAuthorizer log at INFO level when logIfDenied is set(otherwise, we log 
at TRACE), but at debug level when logIfAllowed is set.
Since audit log is security log, it should be logged at default verbosity 
level, not debug or trace when logIfAllowed is set.
So I think, log at INFO when allow, and log at WARN when deny is better.

{code:java}
    private void logAuditMessage(
        ...... ) {
        switch (rule.result()) {
            case ALLOWED:
                if (action.logIfAllowed() && auditLog.isDebugEnabled()) {
                    auditLog.debug(......); // info
                } else if (auditLog.isTraceEnabled()) {
                    auditLog.trace(buildAuditMessage(principal, requestContext, 
action, rule));
                }
                return;

            case DENIED:
                if (action.logIfDenied()) {
                    auditLog.info(......); // warn
                } else if (auditLog.isTraceEnabled()) {
                    auditLog.trace(buildAuditMessage(principal, requestContext, 
action, rule));
                }
        }
    }
{code}




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KAFKA-14605) Change the log level to warn when logIfAllowed is set.

Reply via email to