curie71 opened a new pull request, #13090:
URL: https://github.com/apache/kafka/pull/13090
KAFKA-14605 StandardAuthorizer log at INFO level when logIfDenied is
set(otherwise, we log at TRACE), but at debug level when logIfAllowed is set.
Since audit log is security log, it should be logged at default verbosity
level, not debug or trace when logIfAllowed is set.
So I think, log at INFO when allow, and log at WARN when deny is better.
```java
private void logAuditMessage(
...... ) {
switch (rule.result()) {
case ALLOWED:
if (action.logIfAllowed() && auditLog.isDebugEnabled()) {
auditLog.debug(......); // info maybe better
} else if (auditLog.isTraceEnabled()) {
auditLog.trace(buildAuditMessage(principal,
requestContext, action, rule));
}
return;
case DENIED:
if (action.logIfDenied()) {
auditLog.info(......); // warn maybe better
} else if (auditLog.isTraceEnabled()) {
auditLog.trace(buildAuditMessage(principal,
requestContext, action, rule));
}
}
}
```
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
