EXT-1555 Add audit log on receive for unauthorized requests (#26099)

StekPerepolnen · StekPerepolnen · commit f4d5afdfba32 · 2025-10-02T19:53:23.000+02:00
diff --git a/ydb/core/mon/async_http_mon.cpp b/ydb/core/mon/async_http_mon.cpp
@@ -217,6 +217,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
                 return;
             }
         }
+        AuditCtx.LogOnReceived();
         SendRequest();
     }
     void ReplyWith(NHttp::THttpOutgoingResponsePtr response) {
@@ -350,7 +351,6 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         if (result && result->UserToken) {
             serializedToken = result->UserToken->GetSerializedToken();
         }
-        AuditCtx.LogOnReceived();
         Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo(
             Container, serializedToken), IEventHandle::FlagTrackDelivery);
     }
@@ -377,6 +377,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
     void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {
         const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());
         AuditCtx.AddAuditLogParts(result.AuditLogParts);
+        AuditCtx.LogOnReceived();
         if (result.UserToken) {
             AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());
         }
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_dml_through_http/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_dml_through_http/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/viewer/json/query"}
 {"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/viewer/json/query"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/viewer/json/query"}
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_kill_tablet_using_developer_ui/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_kill_tablet_using_developer_ui/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/tablets"}
 {"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/tablets"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/tablets"}
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_restart_pdisk/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_restart_pdisk/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}
 {"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/actors/pdisks/pdisk000000001"}

Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`217`	`217`	`return;`
`218`	`218`	`}`
`219`	`219`	`}`
	`220`	`+ AuditCtx.LogOnReceived();`
`220`	`221`	`SendRequest();`
`221`	`222`	`}`
`222`	`223`	`void ReplyWith(NHttp::THttpOutgoingResponsePtr response) {`
`@@ -350,7 +351,6 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`350`	`351`	`if (result && result->UserToken) {`
`351`	`352`	`serializedToken = result->UserToken->GetSerializedToken();`
`352`	`353`	`}`
`353`		`- AuditCtx.LogOnReceived();`
`354`	`354`	`Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo(`
`355`	`355`	`Container, serializedToken), IEventHandle::FlagTrackDelivery);`
`356`	`356`	`}`
`@@ -377,6 +377,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`377`	`377`	`void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {`
`378`	`378`	`const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());`
`379`	`379`	`AuditCtx.AddAuditLogParts(result.AuditLogParts);`
	`380`	`+ AuditCtx.LogOnReceived();`
`380`	`381`	`if (result.UserToken) {`
`381`	`382`	`AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());`
`382`	`383`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/viewer/json/query"}`
`2`	`3`	`{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/viewer/json/query"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/viewer/json/query"}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/tablets"}`
`2`	`3`	`{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/tablets"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/tablets"}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}`
`2`	`3`	`{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/actors/pdisks/pdisk000000001"}`