Skip to content

Certificate audit logging #136660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gmjehovich wants to merge 18 commits into from
Closed

Certificate audit logging #136660

gmjehovich wants to merge 18 commits into from

Conversation

@gmjehovich
Copy link
Contributor

@gmjehovich gmjehovich commented Oct 16, 2025

Note: This PR includes changes from #136299 which must merge first.

This is currently a draft which adds Audit Logging to CrossClusterAccessAuthenticationService. Relevant files that are changed

  • CrossClusterAccessAuthenticationService.java (audit logging calls)
  • CrossClusterAccessAuthenticationServiceTests.java (new tests)
  • AuditTrail.java (new method signature)
  • LoggingAuditTrail.java (new method implementation)

Changes

  • Added authenticationFailed(requestId, token, action, remoteAddress) overload to AuditTrail
  • Modified tryAuthenticate() to call audit trail on authentication failures
  • Added unit tests verifying audit logging behavior

Testing Approach

Audit logging is tested via unit tests with mocked AuditTrail to verify we're calling the audit trail with the correct parameters for both success and failure scenarios.

I initially looked at AuditIT which reads audit logs from the test cluster, but it uses the newer ElasticsearchCluster test framework with log file access via cluster.getNodeLog(). The existing CrossClusterAccessAuthenticationServiceIntegTests uses internalCluster() which doesn't provide the same convenient API for log access, as far as I can tell.

However, I've started adding integration test audit verification by accessing the audit log files directly through the Environment and NodeEnvironment services available in internalCluster(); this code is present in CrossClusterAccessAuthenticationIntegTests.verifyAuditLogs. This allows reading the actual audit log to verify end-to-end audit trail behavior. The integration test audit verification is still being fleshed out but I think this approach is viable.

jfreden and others added 17 commits October 3, 2025 15:26
@jfreden
Send cross cluster api key signature as headers
1173919
@jfreden
Update docs/changelog/135674.yaml
e2c0425
@jfreden
Fix fips issue in test - different message
ac84479
@jfreden
Fix signer behaviour change in test
f406c8b
[CI] Auto commit changes from spotless
10b0281
@jfreden
Merge branch 'main' into add_signature_to_headers
7977629
@jfreden
Merge branch 'main' into add_signature_to_headers
26fe56b
@jfreden
Validate certificate identity from cross cluster creds
99fac10
@jfreden
Update docs/changelog/136299.yaml
0cc2ea3
[CI] Auto commit changes from spotless
69c9a17
@jfreden
fixup! Pattern match
eb7a3f7
@jfreden
Add pattern cache
d63b4ec
@gmjehovich
Add audit logging to CrossClusterAuthenticationService for certificat…
d46c3dd 
…e identity verification, header verification
@jfreden @gmjehovich
Validate certificate identity from cross cluster creds
0c9adab 
# Conflicts:
#	x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityCrossClusterApiKeySigningIT.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
#	x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
#	x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/CrossClusterAccessAuthenticationServiceIntegTests.java
@gmjehovich
Merge branch 'pr-136299' into pr-135674-test
d0b0a1c 
Rebase audit logging changes on top of latest signature verififcation changes
@gmjehovich
Add testing for audit logging for certificate verification
2b181fe
@gmjehovich
Access audit logs in CrossClusterAccessAuthenticationServiceIntegTests
4303b31
@gmjehovich gmjehovich requested a review from jfreden October 16, 2025 03:22
@gmjehovich
Copy link
Contributor Author

gmjehovich commented Oct 28, 2025

Closing. After further investigation with @jfreden, we determined there is not a need to add this new audit logging in the authenticateHeaders path

@gmjehovich gmjehovich closed this Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jfreden jfreden Awaiting requested review from jfreden

Assignees

No one assigned

Labels

v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gmjehovich @elasticsearchmachine @jfreden