[jira] [Commented] (KAFKA-19105) Add Audit Logging for Authentication Events with Performance Consideration

Thu, 24 Apr 2025 13:22:08 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-19105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17947140#comment-17947140
 ] 

Azhar Ahmed commented on KAFKA-19105:
-------------------------------------

[~xiaoheipangzi] Can I work on this?

> Add Audit Logging for Authentication Events with Performance Consideration
> --------------------------------------------------------------------------
>
>                 Key: KAFKA-19105
>                 URL: https://issues.apache.org/jira/browse/KAFKA-19105
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>            Reporter: lujie
>            Priority: Major
>
> *Motivation:*
> Currently, Kafka lacks proper audit logging for authentication events. While 
> authorization events are well logged, authentication attempts (both 
> successful and failed) don't have dedicated audit logs. This makes it 
> difficult to track authentication activities and troubleshoot security issues 
> in production environments.
>  
> *Problem:*
> 1. No dedicated audit logging for authentication attempts
> 2. Security teams cannot effectively monitor authentication activities
> 3. Troubleshooting authentication issues requires enabling debug logs for the 
> entire security component
> 4. Compliance requirements for authentication audit trails are not met
>  
> *Proposed Changes:* 
> Add dedicated audit logging with performance consideration:
> {code:java}
>  
> public class SaslServerAuthenticator implements Authenticator {
>     private static final Logger LOG = 
> LoggerFactory.getLogger(SaslServerAuthenticator.class);
>     private static final Logger AUDIT_LOG = 
> LoggerFactory.getLogger("kafka.security.audit");
>  
>     private void handleSaslToken(byte[] clientToken) throws IOException {
>         try {
>             byte[] response = saslServer.evaluateResponse(clientToken);
>             if (saslServer.isComplete()) {
>                 // Use TRACE level for successful authentication
>                 if (AUDIT_LOG.isTraceEnabled()) {
>                     AUDIT_LOG.trace("Authentication successful - Connection: 
> {}, " +
>                         "Client: {}, Principal: {}, Mechanism: {}",
>                         connectionId,
>                         transportLayer.socketChannel().getRemoteAddress(),
>                         saslServer.getAuthorizationID(),
>                         mechanism);
>                 }
>             }
>         } catch (SaslException e) {
>             // Use DEBUG level for failed authentication
>             if (AUDIT_LOG.isDebugEnabled()) {
>                 AUDIT_LOG.debug("Authentication failed - Connection: {}, " +
>                     "Client: {}, Mechanism: {}, Error: {}",
>                     connectionId,
>                     transportLayer.socketChannel().getRemoteAddress(),
>                     mechanism,
>                     e.getMessage());
>             }
>             throw new SaslAuthenticationException("SASL Authentication 
> failed", e);
>         }
>     }
> } {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to