CLDSRV-750: add raftSessionID to server access logs

Author: leif-scality

lib/metadata/metadataUtils.js

@@ -10,13 +10,15 @@ const { onlyOwnerAllowed } = require('../../constants');
 const { actionNeedQuotaCheck, actionWithDataDeletion } = require('arsenal/build/lib/policyEvaluator/RequestContext');
 const { processBytesToWrite, validateQuotas } = require('../api/apiUtils/quotas/quotaUtils');
 
-function storeServerAccessLogInfo(request, authInfo, bucket) {
+function storeServerAccessLogInfo(request, bucket, raftSessionId) {
     /* eslint-disable no-param-reassign */
 
     if (!request || !request.serverAccessLog) {
         return;
     }
 
+    request.serverAccessLog.raftSessionID = raftSessionId;
+
     if (bucket) {
         request.serverAccessLog.bucketOwner = bucket.getOwner();
         request.serverAccessLog.bucketName = bucket.getName();
@@ -216,50 +218,51 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
             if (getDeleteMarker) {
                 getOptions.getDeleteMarker = true;
             }
-            return metadata.getBucketAndObjectMD(bucketName, objectKey, getOptions, log, (err, getResult) => {
-                if (err) {
-                    // if some implicit iamAuthzResults, return AccessDenied
-                    // before leaking any state information
-                    if (actionImplicitDenies && Object.values(actionImplicitDenies).some(v => v === true)) {
-                        return next(errors.AccessDenied);
+            return metadata.getBucketAndObjectMD(bucketName, objectKey, getOptions, log,
+                (err, getResult, raftSessionId) => {
+                    if (err) {
+                        // if some implicit iamAuthzResults, return AccessDenied
+                        // before leaking any state information
+                        if (actionImplicitDenies && Object.values(actionImplicitDenies).some(v => v === true)) {
+                            return next(errors.AccessDenied);
+                        }
+                        return next(err);
                     }
-                    return next(err);
-                }
-                return next(null, getResult);
-            });
+                    return next(null, getResult, raftSessionId);
+                });
         },
-        (getResult, next) => {
+        (getResult, raftSessionId, next) => {
             const bucket = getResult.bucket ?
                   BucketInfo.deSerialize(getResult.bucket) : undefined;
             if (!bucket) {
                 log.debug('bucketAttrs is undefined', {
                     bucket: bucketName,
                     method: 'metadataValidateBucketAndObj',
                 });
-                return next(errors.NoSuchBucket);
+                return next(errors.NoSuchBucket, raftSessionId);
             }
             const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
             if (validationError) {
-                return next(validationError, bucket);
+                return next(validationError, bucket, raftSessionId);
             }
             const objMD = getResult.obj ? JSON.parse(getResult.obj) : undefined;
             if (!objMD && versionId === 'null') {
                 return getNullVersionFromMaster(bucketName, objectKey, log,
-                     (err, nullVer) => next(err, bucket, nullVer));
+                     (err, nullVer) => next(err, bucket, nullVer, raftSessionId));
             }
-            return next(null, bucket, objMD);
+            return next(null, bucket, objMD, raftSessionId);
         },
-        (bucket, objMD, next) => {
+        (bucket, objMD, raftSessionId, next) => {
             const objMetadata = objMD;
             const canonicalID = authInfo.getCanonicalID();
             if (!isObjAuthorized(bucket, objMetadata, requestType, canonicalID, authInfo, log, request,
                 actionImplicitDenies)) {
                 log.debug('access denied for user on object', { requestType });
-                return next(errors.AccessDenied, bucket);
+                return next(errors.AccessDenied, bucket, undefined, raftSessionId);
             }
 
             if (!objMetadata) {
-                return next(null, bucket, objMetadata);
+                return next(null, bucket, objMetadata, raftSessionId);
             }
 
             let returnTagCount = false;
@@ -276,25 +279,25 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
 
                 objMetadata.returnTagCount = returnTagCount;
             }
-            return next(null, bucket, objMetadata);
+            return next(null, bucket, objMetadata, raftSessionId);
         },
-        (bucket, objMD, next) => {
+        (bucket, objMD, raftSessionId, next) => {
             const needQuotaCheck = requestType => requestType.some(type => actionNeedQuotaCheck[type] ||
                 actionWithDataDeletion[type]);
             const checkQuota = params.checkQuota === undefined ? needQuotaCheck(requestType) : params.checkQuota;
             // withVersionId cover cases when an object is being restored with a specific version ID.
             // In this case, the storage space was already accounted for when the RestoreObject API call
             // was made, so we don't need to add any inflight, but quota must be evaluated.
             if (!checkQuota) {
-                return next(null, bucket, objMD);
+                return next(null, bucket, objMD, raftSessionId);
             }
             const contentLength = processBytesToWrite(request.apiMethod, bucket, versionId,
                 request?.parsedContentLength || 0, objMD, params.destObjMD);
             return validateQuotas(request, bucket, request.accountQuotas, requestType, request.apiMethod,
-                contentLength, withVersionId, log, err => next(err, bucket, objMD));
+                contentLength, withVersionId, log, err => next(err, bucket, objMD, raftSessionId));
         },
-    ], (err, bucket, objMD) => {
-        storeServerAccessLogInfo(request, authInfo, bucket);
+    ], (err, bucket, objMD, raftSessionId) => {
+        storeServerAccessLogInfo(request, bucket, raftSessionId);
         if (err) {
             // still return bucket for cors headers
             return callback(err, bucket);
@@ -316,8 +319,8 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
  */
 function standardMetadataValidateBucket(params, actionImplicitDenies, log, callback) {
     const { bucketName } = params;
-    return metadata.getBucket(bucketName, log, (err, bucket) => {
-        storeServerAccessLogInfo(params.request, params.authInfo, bucket);
+    return metadata.getBucket(bucketName, log, (err, bucket, raftSessionId) => { // Extract raft session id
+        storeServerAccessLogInfo(params.request, bucket, raftSessionId);
         if (err) {
             // if some implicit actionImplicitDenies, return AccessDenied before
             // leaking any state information

lib/utilities/serverAccesssLogger.js

@@ -306,7 +306,7 @@ function logServerAccess(params, req, res) {
         loggingTargetBucket: params.loggingEnabled ? params.loggingEnabled.TargetBucket : null,
         loggingTargetPrefix: params.loggingEnabled ? params.loggingEnabled.TargetPrefix : null,
         awsAccessKeyID: authInfo ? authInfo.getAccessKey() : null,
-        raftSessionID: null, // TODO
+        raftSessionID: params.raftSessionID || null,
     });
 }