Hi Daniel, I think in this sense we can use the precedence set with the KAfkaAdminClient. It has *Result and *Options classes which in this interpretation are similar in versioning and usage as they transform and convey the responses of the protocol in a minimalistic API. I've modified the KIP a bit and created some examples for these event classes. For now as the implementation I think we can treat this similarly to KIP-4 (AdminClient) which didn't push implementation for everything but rather pushed implementing everything to subsequent KIPs as the requirements become important. In this first KIP we can create the more important ones (listed in the "Default Implementation") section if that is fine.
Regarding the response passing: to be honest I feel like that it's not that strictly related to auditing but I think it's a good idea and could fit into this API. I think that we should design this current API with this in mind. Did you have any specific ideas about the implementation? Viktor On Tue, Sep 22, 2020 at 9:05 AM Dániel Urbán <urb.dani...@gmail.com> wrote: > An example I had in mind was the ProduceResponse - the auditor might need > access to the new end offset of the partitions. > The event-based approach sounds good - new events and fields can be added > on-demand. Do we need the same versioning strategy we use with the > requests/responses? > > Daniel > > Viktor Somogyi-Vass <viktorsomo...@gmail.com> ezt írta (időpont: 2020. > szept. 21., H, 14:08): > > > Hi Daniel, > > > > > If the auditor needs access to the details of the action, one could > argue > > that even the response should be passed down to the auditor. > > At this point I don't think we need to include responses into the > interface > > but if you have a use-case we can consider doing that. > > > > > Is it feasible to convert the Java requests and responses to public > API? > > Well I think that in this case we would need to actually transform a lot > of > > classes and that might be a bit too invasive. Although since the protocol > > itself *is* a public API it might make sense to have some kind of Java > > representation as a public API as well. > > > > > If not, do we have another option to access this info in the auditor? > > I think one option would be to do what the original KIP-567 was > > implemented. Basically we could have an AuditEvent interface that would > > contain request specific data. Its obvious drawback is that it has to be > > implemented for most of the 40 something protocols but on the upside > these > > classes shouldn't be complicated. I can try to do a PoC with this to see > > how it looks like and whether it solves the problem. To be honest I think > > it would be better than publishing the request classes as an API because > > here we're restricting access to only what is necessary. > > > > Thanks, > > Viktor > > > > > > > > On Fri, Sep 18, 2020 at 8:37 AM Dániel Urbán <urb.dani...@gmail.com> > > wrote: > > > > > Hi, > > > > > > Thanks for the KIP. > > > > > > If the auditor needs access to the details of the action, one could > argue > > > that even the response should be passed down to the auditor. > > > Is it feasible to convert the Java requests and responses to public > API? > > > If not, do we have another option to access this info in the auditor? > > > I know that the auditor could just send proper requests through the API > > to > > > the brokers, but that seems like an awful lot of overhead, and could > > > introduce timing issues as well. > > > > > > Daniel > > > > > > > > > Viktor Somogyi-Vass <viktorsomo...@gmail.com> ezt írta (időpont: 2020. > > > szept. 16., Sze, 17:17): > > > > > > > One more after-thought on your second point (AbstractRequest): the > > > reason I > > > > introduced it in the first place was that this way implementers can > > > access > > > > request data. A use case can be if they want to audit a change in > > > > configuration or client quotas but not just acknowledge the fact that > > > such > > > > an event happened but also capture the change itself by peeking into > > the > > > > request. Sometimes it can be useful especially when people want to > > trace > > > > back the order of events and what happened when and not just > > acknowledge > > > > that there was an event of a certain kind. I also recognize that this > > > might > > > > be a very loose interpretation of auditing as it's not strictly > related > > > to > > > > authorization but rather a way of tracing the admin actions within > the > > > > cluster. It even could be a different API therefore but because of > the > > > > variety of the Kafka APIs it's very hard to give a method that fits > > all, > > > so > > > > it's easier to pass down the AbstractRequest and the implementation > can > > > do > > > > the extraction of valuable info. So that's why I added this in the > > first > > > > place and I'm interested in your thoughts. > > > > > > > > On Wed, Sep 16, 2020 at 4:41 PM Viktor Somogyi-Vass < > > > > viktorsomo...@gmail.com> > > > > wrote: > > > > > > > > > Hi Mickael, > > > > > > > > > > Thanks for reviewing the KIP. > > > > > > > > > > 1.) I just wanted to follow the conventions used with the > Authorizer > > as > > > > it > > > > > is built in a similar fashion, although it's true that in > KafkaServer > > > we > > > > > call the configure() method and the start() in the next line. This > > > would > > > > be > > > > > the same in Auditor and even simpler as there aren't any parameters > > to > > > > > start(), so I can remove it. If it turns out there is a need for > it, > > we > > > > can > > > > > add it later. > > > > > > > > > > 2.) Yes, this is a very good point, I will remove it, however in > this > > > > case > > > > > I don't think we need to add the ApiKey as it is already available > in > > > > > AuthorizableRequestContext.requestType(). One less parameter :). > > > > > > > > > > 3.) I'll add it. It will simply log important changes in the > cluster > > > like > > > > > topic events (create, update, delete, partition or replication > factor > > > > > change), ACL events, config changes, reassignment, altering log > dirs, > > > > > offset delete, group delete with the authorization info like who > > > > initiated > > > > > the call, was it authorized, were there any errors. Let me know if > > you > > > > > think there are other APIs I should include. > > > > > > > > > > 4.) The builder is there mostly for easier usability but actually > > > > thinking > > > > > of it it doesn't help much so I removed it. The AuditInfo is also a > > > > helper > > > > > class so I don't see any value in transforming it into an interface > > but > > > > if > > > > > I simplify it (by removing the builder) it will be cleaner. Would > > that > > > > work? > > > > > > > > > > I'll update the KIP to reflect my answers. > > > > > > > > > > Viktor > > > > > > > > > > > > > > > On Mon, Sep 14, 2020 at 6:02 PM Mickael Maison < > > > mickael.mai...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > >> Hi Viktor, > > > > >> > > > > >> Thanks for restarting the discussion on this KIP. Being able to > > easily > > > > >> audit usage of a Kafka cluster is a very valuable feature. > > > > >> > > > > >> Regarding the API, I have a few of questions: > > > > >> 1) You introduced a start() method. I don't think any other > > interfaces > > > > >> have such a method. Users can do any setup they want in > configure() > > > > >> > > > > >> 2) The first argument of audit is an AbstractRequest. > Unfortunately > > > > >> this type is not part of the public API. But actually I'm not sure > > > > >> having the full request is really needed here. Maybe just passing > > the > > > > >> Apikey would be enough as we already have all the resources from > the > > > > >> auditInfos field. > > > > >> > > > > >> 3) The KIP mentions a "LoggingAuditor" default implementation. > What > > is > > > > >> it doing? Can you add more details about it? > > > > >> > > > > >> 4) Can fields of AuditInfo be null? I can see there's a > constructor > > > > >> without an Errors and that sets the error field to None. However, > > with > > > > >> the builder pattern, if error is not set it's null. > > > > >> > > > > >> 5) Should AuditInfo be an interface? > > > > >> > > > > >> On Mon, Sep 14, 2020 at 3:26 PM Viktor Somogyi-Vass > > > > >> <viktorsomo...@gmail.com> wrote: > > > > >> > > > > > >> > Hi everyone, > > > > >> > > > > > >> > Changed the interface a little bit to accommodate methods better > > > where > > > > >> > authorization happens for multiple operations so the implementer > > of > > > > the > > > > >> > audit interface will receive all authorizations together. > > > > >> > I'll wait a few more days to allow people to react or give > > feedback > > > > but > > > > >> if > > > > >> > there are no objections until then, I'll start a vote. > > > > >> > > > > > >> > Viktor > > > > >> > > > > > >> > On Tue, Sep 8, 2020 at 9:49 AM Viktor Somogyi-Vass < > > > > >> viktorsomo...@gmail.com> > > > > >> > wrote: > > > > >> > > > > > >> > > Hi Everyone, > > > > >> > > > > > > >> > > I'd like to restart the discussion on this. Since the KIP has > > been > > > > >> > > revamped I thought I'd start a new discussion thread. > > > > >> > > > > > > >> > > Link: > > > > >> > > > > > > >> > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-567%3A+Kafka+Cluster+Audit > > > > >> > > > > > > >> > > Short summary: > > > > >> > > - Would like to introduce a new interface similar to the > > > Authorizer > > > > >> called > > > > >> > > Auditor as follows: > > > > >> > > public interface Auditor { > > > > >> > > audit(Request r, AuthorizableRequestContext c, > > > AclOperation > > > > >> > > o, Map<ResourcePattern, Boolean> isAllowed, > Map<ResourcePattern, > > > > >> Errors> > > > > >> > > errors); > > > > >> > > } > > > > >> > > - Basically it would pass down the request and the > authorization > > > > >> > > information to the auditor implementation where various kind > of > > > > >> reporting > > > > >> > > can be done based on the request. > > > > >> > > - A new config would be added called "auditor" which is > similar > > to > > > > the > > > > >> > > "authorizer" config, but users can pass a list of auditor > class > > > > names. > > > > >> > > - The implementation is expected to be low latency similarly > to > > > the > > > > >> > > Authorizer. > > > > >> > > - A default implementation will be added that logs into a > file. > > > > >> > > > > > > >> > > I appreciate any feedback on this. > > > > >> > > > > > > >> > > Best, > > > > >> > > Viktor > > > > >> > > > > > > >> > > > > > > > > > > > > > > >
