Switch to use upstream audit handler

soltysh · soltysh · commit 08c985eb9b80 · 2016-10-03T17:17:36.000+02:00
diff --git a/pkg/cmd/server/api/types.go b/pkg/cmd/server/api/types.go
@@ -325,6 +325,14 @@ type AuditConfig struct {
 	// If this flag is set, audit log will be printed in the logs.
 	// The logs contains, method, user and a requested URL.
 	Enabled bool
+	// All requests coming to the apiserver will be logged to this file.
+	Path string
+	// Maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
+	MaxAge int
+	// Maximum number of old audit log files to retain.
+	MaxBackups int
+	// Maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB.
+	MaxSize int
 }
 
 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy
diff --git a/pkg/cmd/server/api/v1/types.go b/pkg/cmd/server/api/v1/types.go
@@ -251,6 +251,14 @@ type AuditConfig struct {
 	// If this flag is set, basic audit log will be printed in the logs.
 	// The logs contains, method, user and a requested URL.
 	Enabled bool `json:"enabled"`
+	// All requests coming to the apiserver will be logged to this file.
+	Path string `json:"path"`
+	// Maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
+	MaxAge int `json:"maxAge"`
+	// Maximum number of old audit log files to retain.
+	MaxBackups int `json:"maxBackups"`
+	// Maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB.
+	MaxSize int `json:"maxSize"`
 }
 
 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy
diff --git a/pkg/cmd/server/origin/audit.go b/pkg/cmd/server/origin/audit.go
diff --git a/pkg/cmd/server/origin/audit_test.go b/pkg/cmd/server/origin/audit_test.go
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -16,6 +16,7 @@ import (
 	"github.com/go-openapi/spec"
 	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus"
+	"gopkg.in/natefinch/lumberjack.v2"
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/meta"
@@ -25,6 +26,7 @@ import (
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	v1beta1extensions "k8s.io/kubernetes/pkg/apis/extensions/v1beta1"
 	"k8s.io/kubernetes/pkg/apiserver"
+	"k8s.io/kubernetes/pkg/apiserver/audit"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	kclient "k8s.io/kubernetes/pkg/client/unversioned"
 	clientadapter "k8s.io/kubernetes/pkg/client/unversioned/adapters/internalclientset"
@@ -177,7 +179,17 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
 	handler = c.authorizationFilter(handler)
 	handler = c.impersonationFilter(handler)
 	// audit handler must comes before the impersonationFilter to read the original user
-	handler = c.auditHandler(handler)
+	if c.Options.AuditConfig.Enabled {
+		attributeGetter := apiserver.NewRequestAttributeGetter(c.getRequestContextMapper(), c.getRequestInfoResolver())
+		writer := &lumberjack.Logger{
+			Filename:   c.Options.AuditConfig.Path,
+			MaxAge:     c.Options.AuditConfig.MaxAge,
+			MaxBackups: c.Options.AuditConfig.MaxBackups,
+			MaxSize:    c.Options.AuditConfig.MaxSize,
+		}
+		handler = audit.WithAudit(handler, attributeGetter, writer)
+		defer writer.Close()
+	}
 	handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())
 	handler = namespacingFilter(handler, c.getRequestContextMapper())
 	handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
@@ -861,6 +873,23 @@ func (c *MasterConfig) getRequestContextMapper() kapi.RequestContextMapper {
 	return c.RequestContextMapper
 }
 
+// getRequestInfoResolver returns a request resolver.
+func (c *MasterConfig) getRequestInfoResolver() *apiserver.RequestInfoResolver {
+	if c.RequestInfoResolver == nil {
+		c.RequestInfoResolver = &apiserver.RequestInfoResolver{
+			APIPrefixes: sets.NewString(strings.Trim(LegacyOpenShiftAPIPrefix, "/"),
+				strings.Trim(OpenShiftAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIGroupPrefix, "/")), // all possible API prefixes
+			GrouplessAPIPrefixes: sets.NewString(strings.Trim(LegacyOpenShiftAPIPrefix, "/"),
+				strings.Trim(OpenShiftAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIPrefix, "/"),
+			), // APIPrefixes that won't have groups (legacy)
+		}
+	}
+	return c.RequestInfoResolver
+}
+
 // RouteAllocator returns a route allocation controller.
 func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController {
 	osclient, kclient := c.RouteAllocatorClients()
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -111,6 +111,8 @@ type MasterConfig struct {
 
 	// RequestContextMapper maps requests to contexts
 	RequestContextMapper kapi.RequestContextMapper
+	// RequestInfoResolver is responsible for reading request attributes
+	RequestInfoResolver *apiserver.RequestInfoResolver
 
 	AdmissionControl admission.Interface
 
