Audit logging API?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Audit logging API?

Gus Heck
in the security documentation here: https://lucene.apache.org/solr/guide/8_1/authentication-and-authorization-plugins.html#in-standalone-mode

we give the following advice:

Once security.json has been uploaded to ZooKeeper, you should use the appropriate APIs for the plugins you’re using to update it. You can edit it manually, but you must take care to remove any version data so it will be properly updated across all ZooKeeper nodes. The version data is found at the end of the security.json file, and will appear as the letter "v" followed by a number, such as {"v":138}.

However, I don't see any API mentioned in https://lucene.apache.org/solr/guide/8_1/audit-logging.html ? Is this planned for the future?

Also I sort of wonder why security.json is keeping it's own version in the json rather than relying on zookeeper's node versions like everything else? What problem do we have there that we don't have in the rest of our json files?

Reply | Threaded
Open this post in threaded view
|

Re: Audit logging API?

Jan Høydahl / Cominvent
We'll need to add REST API for editing Audit logging in later versions.

As far as I understand, the version in the JSON comes from Zookeeper node version, but there has been issues that if you upload a security.json with that v node to ZK it was not parsed correctly. I don't know the reason why the JSON would contain the version in the first place. Probably some work to do here?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

20. jun. 2019 kl. 02:39 skrev Gus Heck <[hidden email]>:

in the security documentation here: https://lucene.apache.org/solr/guide/8_1/authentication-and-authorization-plugins.html#in-standalone-mode

we give the following advice:

Once security.json has been uploaded to ZooKeeper, you should use the appropriate APIs for the plugins you’re using to update it. You can edit it manually, but you must take care to remove any version data so it will be properly updated across all ZooKeeper nodes. The version data is found at the end of the security.json file, and will appear as the letter "v" followed by a number, such as {"v":138}.

However, I don't see any API mentioned in https://lucene.apache.org/solr/guide/8_1/audit-logging.html ? Is this planned for the future?

Also I sort of wonder why security.json is keeping it's own version in the json rather than relying on zookeeper's node versions like everything else? What problem do we have there that we don't have in the rest of our json files?


Reply | Threaded
Open this post in threaded view
|

Re: Audit logging API?

Gus Heck
Just did a little digging while I was building... I think the v:## property is supporting a mode where security.json is a filesystem file...

    /**
     * Sets version
     * @param version integer for version. Depends on underlying storage
     * @return SecurityConf object (builder pattern)
     */
    public SecurityConfig setVersion(int version) {
      this.version = version;
      return this;
    }

On Thu, Jun 20, 2019 at 9:40 AM Jan Høydahl <[hidden email]> wrote:
We'll need to add REST API for editing Audit logging in later versions.

As far as I understand, the version in the JSON comes from Zookeeper node version, but there has been issues that if you upload a security.json with that v node to ZK it was not parsed correctly. I don't know the reason why the JSON would contain the version in the first place. Probably some work to do here?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

20. jun. 2019 kl. 02:39 skrev Gus Heck <[hidden email]>:

in the security documentation here: https://lucene.apache.org/solr/guide/8_1/authentication-and-authorization-plugins.html#in-standalone-mode

we give the following advice:

Once security.json has been uploaded to ZooKeeper, you should use the appropriate APIs for the plugins you’re using to update it. You can edit it manually, but you must take care to remove any version data so it will be properly updated across all ZooKeeper nodes. The version data is found at the end of the security.json file, and will appear as the letter "v" followed by a number, such as {"v":138}.

However, I don't see any API mentioned in https://lucene.apache.org/solr/guide/8_1/audit-logging.html ? Is this planned for the future?

Also I sort of wonder why security.json is keeping it's own version in the json rather than relying on zookeeper's node versions like everything else? What problem do we have there that we don't have in the rest of our json files?




--
Reply | Threaded
Open this post in threaded view
|

Re: Audit logging API?

Jan Høydahl / Cominvent
Yes, in theory, but I don't think the implementation in standalone mode that reads $SOLR_HOME/security.json cares about version at all right now.
Hoss had a suggestion for an API improvement that would poll all live_nodes for what version of security.json they have loaded, and block until all are on some given version.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

20. jun. 2019 kl. 16:07 skrev Gus Heck <[hidden email]>:

Just did a little digging while I was building... I think the v:## property is supporting a mode where security.json is a filesystem file...

    /**
     * Sets version
     * @param version integer for version. Depends on underlying storage
     * @return SecurityConf object (builder pattern)
     */
    public SecurityConfig setVersion(int version) {
      this.version = version;
      return this;
    }

On Thu, Jun 20, 2019 at 9:40 AM Jan Høydahl <[hidden email]> wrote:
We'll need to add REST API for editing Audit logging in later versions.

As far as I understand, the version in the JSON comes from Zookeeper node version, but there has been issues that if you upload a security.json with that v node to ZK it was not parsed correctly. I don't know the reason why the JSON would contain the version in the first place. Probably some work to do here?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

20. jun. 2019 kl. 02:39 skrev Gus Heck <[hidden email]>:

in the security documentation here: https://lucene.apache.org/solr/guide/8_1/authentication-and-authorization-plugins.html#in-standalone-mode

we give the following advice:

Once security.json has been uploaded to ZooKeeper, you should use the appropriate APIs for the plugins you’re using to update it. You can edit it manually, but you must take care to remove any version data so it will be properly updated across all ZooKeeper nodes. The version data is found at the end of the security.json file, and will appear as the letter "v" followed by a number, such as {"v":138}.

However, I don't see any API mentioned in https://lucene.apache.org/solr/guide/8_1/audit-logging.html ? Is this planned for the future?

Also I sort of wonder why security.json is keeping it's own version in the json rather than relying on zookeeper's node versions like everything else? What problem do we have there that we don't have in the rest of our json files?




--