AuditTrail correctly handle ReplicatedWriteRequest (#39925)

This fix deduplicates index names in `BulkShardRequests` and only audits
the specific resolved index for every comprising `BulkItemRequest`.

Author: albertzaharovits

server/src/main/java/org/elasticsearch/action/bulk/BulkShardRequest.java

@@ -26,8 +26,8 @@
 import org.elasticsearch.index.shard.ShardId;
 
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;
 
 public class BulkShardRequest extends ReplicatedWriteRequest<BulkShardRequest> {
 
@@ -48,7 +48,13 @@ public BulkItemRequest[] items() {
 
     @Override
     public String[] indices() {
-        List<String> indices = new ArrayList<>();
+        // A bulk shard request encapsulates items targeted at a specific shard of an index.
+        // However, items could be targeting aliases of the index, so the bulk request although
+        // targeting a single concrete index shard might do so using several alias names.
+        // These alias names have to be exposed by this method because authorization works with
+        // aliases too, specifically, the item's target alias can be authorized but the concrete
+        // index might not be.
+        Set<String> indices = new HashSet<>(1);
         for (BulkItemRequest item : items) {
             if (item != null) {
                 indices.add(item.index());

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.security.audit;
 
+import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
@@ -72,4 +73,13 @@ void runAsDenied(String requestId, Authentication authentication, String action,
     void runAsDenied(String requestId, Authentication authentication, RestRequest request,
                      AuthorizationInfo authorizationInfo);
 
+    /**
+     * This is a "workaround" method to log index "access_granted" and "access_denied" events for actions not tied to a
+     * {@code TransportMessage}, or when the connection is not 1:1, i.e. several audit events for an action associated with the same
+     * message. It is currently only used to audit the resolved index (alias) name for each {@code BulkItemRequest} comprised by a
+     * {@code BulkShardRequest}. We should strive to not use this and TODO refactor it out!
+     */
+    void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String indices,
+                                  String requestName, TransportAddress remoteAddress, AuthorizationInfo authorizationInfo);
+
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.xpack.security.audit;
 
 import org.elasticsearch.common.component.AbstractComponent;
+import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.transport.TransportMessage;
@@ -223,4 +224,16 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
             }
         }
     }
+
+    @Override
+    public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action,
+                                         String indices, String requestName, TransportAddress remoteAddress,
+                                         AuthorizationInfo authorizationInfo) {
+        if (licenseState.isAuditingAllowed()) {
+            for (AuditTrail auditTrail : auditTrails) {
+                auditTrail.explicitIndexAccessEvent(requestId, eventType, authentication, action, indices, requestName, remoteAddress,
+                        authorizationInfo);
+            }
+        }
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java

@@ -40,6 +40,7 @@
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentType;
@@ -665,6 +666,30 @@ public void accessDenied(String requestId, Authentication authentication, String
         }
     }
 
+    @Override
+    public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String index,
+                                         String requestName, TransportAddress remoteAddress, AuthorizationInfo authorizationInfo) {
+        assert eventType == ACCESS_DENIED || eventType == AuditLevel.ACCESS_GRANTED || eventType == SYSTEM_ACCESS_GRANTED;
+        final User user = authentication.getUser();
+        final boolean isSystem = SystemUser.is(user) || XPackUser.is(user);
+        if (isSystem && eventType == ACCESS_GRANTED) {
+            eventType = SYSTEM_ACCESS_GRANTED;
+        }
+        if (events.contains(eventType)) {
+            try {
+                assert authentication.getAuthenticatedBy() != null;
+                final String eventTypeString = eventType == ACCESS_DENIED ? "access_denied" : "access_granted";
+                final String authRealmName = authentication.getAuthenticatedBy().getName();
+                final String lookRealmName = authentication.getLookedUpBy() == null ? null : authentication.getLookedUpBy().getName();
+                final String[] roleNames = (String[]) authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
+                enqueue(message(eventTypeString, action, user, roleNames, new Tuple(authRealmName, lookRealmName), Sets.newHashSet(index),
+                        remoteAddress, requestName), eventTypeString);
+            } catch (final Exception e) {
+                logger.warn("failed to index audit event: [access_denied]", e);
+            }
+        }
+    }
+
     @Override
     public void tamperedRequest(String requestId, RestRequest request) {
         if (events.contains(TAMPERED_REQUEST)) {
@@ -773,10 +798,15 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
     private Message message(String type, @Nullable String action, @Nullable User user, @Nullable String[] roleNames,
                             @Nullable Tuple<String, String> realms, @Nullable Set<String> indices, TransportMessage message)
             throws Exception {
+        return message(type, action, user, roleNames, realms, indices, message.remoteAddress(), message.getClass().getSimpleName());
+    }
 
+    private Message message(String type, @Nullable String action, @Nullable User user, @Nullable String[] roleNames,
+                            @Nullable Tuple<String, String> realms, @Nullable Set<String> indices,
+                            TransportAddress address, String requestName) throws Exception {
         Message msg = new Message().start();
         common("transport", type, msg.builder);
-        originAttributes(message, msg.builder, clusterService.localNode(), threadPool.getThreadContext());
+        originAttributes(address, msg.builder, clusterService.localNode(), threadPool.getThreadContext());
 
         if (action != null) {
             msg.builder.field(Field.ACTION, action);
@@ -788,7 +818,7 @@ private Message message(String type, @Nullable String action, @Nullable User use
         if (indices != null) {
             msg.builder.array(Field.INDICES, indices.toArray(Strings.EMPTY_ARRAY));
         }
-        msg.builder.field(Field.REQUEST, message.getClass().getSimpleName());
+        msg.builder.field(Field.REQUEST, requestName);
 
         return msg.end();
     }
@@ -943,6 +973,11 @@ private XContentBuilder common(String layer, String type, XContentBuilder builde
 
     private static XContentBuilder originAttributes(TransportMessage message, XContentBuilder builder,
                                                     DiscoveryNode localNode, ThreadContext threadContext) throws IOException {
+        return originAttributes(message.remoteAddress(), builder, localNode, threadContext);
+    }
+
+    private static XContentBuilder originAttributes(TransportAddress address, XContentBuilder builder,
+                                                    DiscoveryNode localNode, ThreadContext threadContext) throws IOException {
 
         // first checking if the message originated in a rest call
         InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext);
@@ -953,7 +988,6 @@ private static XContentBuilder originAttributes(TransportMessage message, XConte
         }
 
         // we'll see if was originated in a remote node
-        TransportAddress address = message.remoteAddress();
         if (address != null) {
             builder.field(Field.ORIGIN_TYPE, "transport");
             builder.field(Field.ORIGIN_ADDRESS,

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/DeprecatedLoggingAuditTrail.java

@@ -356,6 +356,51 @@ localNodeInfo.prefix, originAttributes(threadContext, message, localNodeInfo), s
         }
     }
 
+    @Override
+    public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String index,
+                                         String requestName, TransportAddress remoteAddress, AuthorizationInfo authorizationInfo) {
+        assert eventType == ACCESS_DENIED || eventType == AuditLevel.ACCESS_GRANTED || eventType == SYSTEM_ACCESS_GRANTED;
+        final String[] indices = index == null ? null : new String[] { index };
+        final User user = authentication.getUser();
+        final boolean isSystem = SystemUser.is(user) || XPackUser.is(user);
+        if (isSystem && eventType == ACCESS_GRANTED) {
+            eventType = SYSTEM_ACCESS_GRANTED;
+        }
+        if (events.contains(eventType)) {
+            if (eventFilterPolicyRegistry.ignorePredicate()
+                    .test(new AuditEventMetaInfo(Optional.of(user), Optional.of(effectiveRealmName(authentication)),
+                            Optional.of(authorizationInfo), Optional.ofNullable(indices))) == false) {
+                final String[] roleNames = (String[]) authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
+                final StringBuilder logEntryBuilder = new StringBuilder();
+                logEntryBuilder.append(localNodeInfo.prefix);
+                logEntryBuilder.append("[transport] ");
+                if (eventType == ACCESS_DENIED) {
+                    logEntryBuilder.append("[access_denied]\t");
+                } else {
+                    logEntryBuilder.append("[access_granted]\t");
+                }
+                final String originAttributes = restOriginTag(threadContext).orElseGet(() -> {
+                    if (remoteAddress == null) {
+                        return localNodeInfo.localOriginTag;
+                    }
+                    return new StringBuilder("origin_type=[transport], origin_address=[")
+                            .append(NetworkAddress.format(remoteAddress.address().getAddress())).append("]").toString();
+                });
+                logEntryBuilder.append(originAttributes).append(", ");
+                logEntryBuilder.append(subject(authentication)).append(", ");
+                logEntryBuilder.append("roles=[").append(arrayToCommaDelimitedString(roleNames)).append("], ");
+                logEntryBuilder.append("action=[").append(action).append("], ");
+                logEntryBuilder.append("indices=[").append(index).append("], ");
+                logEntryBuilder.append("request=[").append(requestName).append("]");
+                final String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID);
+                if (opaqueId != null) {
+                    logEntryBuilder.append(", opaque_id=[").append(opaqueId).append("]");
+                }
+                logger.info(logEntryBuilder.toString());
+            }
+        }
+    }
+
     @Override
     public void tamperedRequest(String requestId, RestRequest request) {
         if (events.contains(TAMPERED_REQUEST) && (eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY) == false)) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java

@@ -452,6 +452,46 @@ public void accessGranted(String requestId, Authentication authentication, Strin
         }
     }
 
+    @Override
+    public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String index,
+                                    String requestName, TransportAddress remoteAddress, AuthorizationInfo authorizationInfo) {
+        assert eventType == ACCESS_DENIED || eventType == AuditLevel.ACCESS_GRANTED || eventType == SYSTEM_ACCESS_GRANTED;
+        final String[] indices = index == null ? null : new String[] { index };
+        final User user = authentication.getUser();
+        final boolean isSystem = SystemUser.is(user) || XPackUser.is(user);
+        if (isSystem && eventType == ACCESS_GRANTED) {
+            eventType = SYSTEM_ACCESS_GRANTED;
+        }
+        if (events.contains(eventType)) {
+            if (eventFilterPolicyRegistry.ignorePredicate()
+                    .test(new AuditEventMetaInfo(Optional.of(user), Optional.of(effectiveRealmName(authentication)),
+                            Optional.of(authorizationInfo), Optional.ofNullable(indices))) == false) {
+                final LogEntryBuilder logEntryBuilder = new LogEntryBuilder()
+                        .with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
+                        .with(EVENT_ACTION_FIELD_NAME, eventType == ACCESS_DENIED ? "access_denied" : "access_granted")
+                        .with(ACTION_FIELD_NAME, action)
+                        .with(REQUEST_NAME_FIELD_NAME, requestName)
+                        .withRequestId(requestId)
+                        .withSubject(authentication)
+                        .with(INDICES_FIELD_NAME, indices)
+                        .withOpaqueId(threadContext)
+                        .withXForwardedFor(threadContext)
+                        .with(authorizationInfo.asMap());
+                final InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext);
+                if (restAddress != null) {
+                    logEntryBuilder
+                        .with(ORIGIN_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE)
+                        .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(restAddress));
+                } else if (remoteAddress != null) {
+                    logEntryBuilder
+                        .with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
+                        .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));
+                }
+                logger.info(logEntryBuilder.build());
+            }
+        }
+    }
+
     @Override
     public void accessDenied(String requestId, Authentication authentication, String action, TransportMessage message,
                              AuthorizationInfo authorizationInfo) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

@@ -64,6 +64,7 @@
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
 import org.elasticsearch.xpack.core.security.user.XPackUser;
+import org.elasticsearch.xpack.security.audit.AuditLevel;
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.elasticsearch.xpack.security.audit.AuditUtil;
 import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor;
@@ -311,10 +312,12 @@ private void handleIndexActionAuthorizationResult(final IndexAuthorizationResult
             // if this is performing multiple actions on the index, then check each of those actions.
             assert request instanceof BulkShardRequest
                 : "Action " + action + " requires " + BulkShardRequest.class + " but was " + request.getClass();
-            authorizeBulkItems(requestInfo, authzInfo, authzEngine, resolvedIndicesAsyncSupplier, authorizedIndicesSupplier,
-                metaData, requestId,
-                ActionListener.wrap(ignore -> runRequestInterceptors(requestInfo, authzInfo, authorizationEngine, listener),
-                    listener::onFailure));
+            authorizeBulkItems(requestInfo, authzInfo, authzEngine, resolvedIndicesAsyncSupplier, authorizedIndicesSupplier, metaData,
+                    requestId,
+                    wrapPreservingContext(
+                            ActionListener.wrap(ignore -> runRequestInterceptors(requestInfo, authzInfo, authorizationEngine, listener),
+                                    listener::onFailure),
+                            threadContext));
         } else {
             runRequestInterceptors(requestInfo, authzInfo, authorizationEngine, listener);
         }
@@ -496,11 +499,12 @@ private void authorizeBulkItems(RequestInfo requestInfo, AuthorizationInfo authz
                         for (BulkItemRequest item : request.items()) {
                             final String resolvedIndex = resolvedIndexNames.get(item.index());
                             final String itemAction = getAction(item);
-                            final IndicesAccessControl indicesAccessControl = actionToIndicesAccessControl.get(getAction(item));
+                            final IndicesAccessControl indicesAccessControl = actionToIndicesAccessControl.get(itemAction);
                             final IndicesAccessControl.IndexAccessControl indexAccessControl
                                 = indicesAccessControl.getIndexPermissions(resolvedIndex);
                             if (indexAccessControl == null || indexAccessControl.isGranted() == false) {
-                                auditTrail.accessDenied(requestId, authentication, itemAction, request, authzInfo);
+                                auditTrail.explicitIndexAccessEvent(requestId, AuditLevel.ACCESS_DENIED, authentication, itemAction,
+                                        resolvedIndex, item.getClass().getSimpleName(), request.remoteAddress(), authzInfo);
                                 item.abort(resolvedIndex, denialException(authentication, itemAction, null));
                             }
                         }
@@ -522,7 +526,7 @@ private void authorizeBulkItems(RequestInfo requestInfo, AuthorizationInfo authz
             }, listener::onFailure));
     }
 
-    private IllegalArgumentException illegalArgument(String message) {
+    private static IllegalArgumentException illegalArgument(String message) {
         assert false : message;
         return new IllegalArgumentException(message);
     }