hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/SimpleKMSAuditLogger.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.crypto.key.kms.server;

import static org.apache.hadoop.crypto.key.kms.server.KMSAudit.KMS_LOGGER_NAME;

import java.io.IOException;
import java.util.LinkedList;
import java.util.List;

import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import org.apache.hadoop.conf.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * A simple text format audit logger. This is the default.
 * <p>
 * IMPORTANT WARNING: Audit logs should be strictly backwards-compatible,
 * because there are usually parsing tools highly dependent on the audit log
 * formatting. Different tools have different ways of parsing the audit log, so
 * changing the audit log output in any way is considered incompatible,
 * and will haunt the consumer tools / developers. Don't do it.
 */
class SimpleKMSAuditLogger implements KMSAuditLogger {
  final private Logger auditLog = LoggerFactory.getLogger(KMS_LOGGER_NAME);

  @Override
  public void cleanup() throws IOException {
  }

  @Override
  public void initialize(Configuration conf) throws IOException {
  }

  @Override
  public void logAuditEvent(final OpStatus status, final AuditEvent event) {
    if (!Strings.isNullOrEmpty(event.getUser()) && !Strings
        .isNullOrEmpty(event.getKeyName()) && (event.getOp() != null)
        && KMSAudit.AGGREGATE_OPS_WHITELIST.contains(event.getOp())) {
      switch (status) {
      case OK:
        auditLog.info(
            "{}[op={}, key={}, user={}, accessCount={}, interval={}ms] {}",
            status, event.getOp(), event.getKeyName(), event.getUser(),
            event.getAccessCount().get(),
            (event.getEndTime() - event.getStartTime()), event.getExtraMsg());
        break;
      case UNAUTHORIZED:
        logAuditSimpleFormat(status, event);
        break;
      default:
        logAuditSimpleFormat(status, event);
        break;
      }
    } else {
      logAuditSimpleFormat(status, event);
    }
  }

  private void logAuditSimpleFormat(final OpStatus status,
      final AuditEvent event) {
    final List<String> kvs = new LinkedList<>();
    if (event.getOp() != null) {
      kvs.add("op=" + event.getOp());
    }
    if (!Strings.isNullOrEmpty(event.getKeyName())) {
      kvs.add("key=" + event.getKeyName());
    }
    if (!Strings.isNullOrEmpty(event.getUser())) {
      kvs.add("user=" + event.getUser());
    }
    if (kvs.isEmpty()) {
      auditLog.info("{} {}", status, event.getExtraMsg());
    } else {
      final String join = Joiner.on(", ").join(kvs);
      auditLog.info("{}[{}] {}", status, join, event.getExtraMsg());
    }
  }
}