add basic auditing capability

Jeff McCormick · Jeff McCormick · commit 9425b54f82b1 · 2018-02-01T13:50:13.000-06:00
diff --git a/apiserver/root.go b/apiserver/root.go
@@ -41,6 +41,9 @@ var RESTClient *rest.RESTClient
 // Clientset ...
 var Clientset *kubernetes.Clientset
 
+// AuditFlag if set to true will cause auditing to occur in the logs
+var AuditFlag bool
+
 // DebugFlag is the debug flag value
 var DebugFlag bool
 
@@ -62,6 +65,8 @@ var Credentials map[string]string
 func init() {
 	BasicAuth = true
 
+	AuditFlag = false
+
 	log.Infoln("apiserver starts")
 
 	getCredentials()
@@ -126,6 +131,11 @@ func initConfig() {
 		log.Debug("config file not found")
 	}
 
+	AuditFlag = viper.GetBool("Pgo.Audit")
+	if AuditFlag {
+		log.Info("audit flag is set to true")
+	}
+
 	if DebugFlag || viper.GetBool("Pgo.Debug") {
 		log.Debug("debug flag is set to true")
 		log.SetLevel(log.DebugLevel)
@@ -231,6 +241,10 @@ func Authn(where string, w http.ResponseWriter, r *http.Request) error {
 	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
 	username, password, authOK := r.BasicAuth()
+	if AuditFlag {
+		log.Infof("[audit] %s username=[%s] method=[%s]\n", where, username, r.Method)
+	}
+
 	log.Debugf("Authn Attempt %s username=[%s] password=[%s]\n", where, username, password)
 	if authOK == false {
 		http.Error(w, "Not authorized", 401)
diff --git a/conf/apiserver/pgo.yaml b/conf/apiserver/pgo.yaml
@@ -1,7 +1,7 @@
 Namespace:  demo
 Cluster:
   CCPImagePrefix:  crunchydata
-  CCPImageTag:  centos7-10.1-1.7.0
+  CCPImageTag:  centos7-10.1-1.7.1
   Port:  5432
   User:  testuser
   Database:  userdb
@@ -22,6 +22,7 @@ ReplicaStorage:
   Size:  200M
   StorageType:  create
 Pgo:
+  Audit:  false
   LSPVCTemplate:  /config/pgo.lspvc-template.json
   LoadTemplate:  /config/pgo.load-template.json
   COImagePrefix:  crunchydata
diff --git a/docs/operator-docs.asciidoc b/docs/operator-docs.asciidoc
@@ -546,6 +546,7 @@ ReplicaStorage:
   Size:  200M
   StorageType:  create
 Pgo:
+  Audit:  true
   APIServerUrl:  http://localhost:8080
   LSPVCTemplate:  /config/pgo.lspvc-template.json
   CSVLoadTemplate:  /config/pgo.load-template.json
@@ -594,6 +595,7 @@ Values in the pgo configuration file have the following meaning:
 |Pgo.LoadTemplate        | the load template file used for load jobs
 |Pgo.COImagePrefix        | image tag prefix to use for the Operator containers
 |Pgo.COImageTag        | image tag to use for the Operator containers
+|Pgo.Audit        | boolean, if set to true will cause each apiserver call to be logged with an *audit* marking
 |======================
 
 *NOTE*: Regarding the PVC access mode variable; this is automatically set to ReadWriteMany but
