diff options
| author | ijon <ijon@ydb.tech> | 2023-09-15 17:53:50 +0300 |
|---|---|---|
| committer | ijon <ijon@ydb.tech> | 2023-09-15 18:10:54 +0300 |
| commit | c516a81f5123c759856caf347f1f0ae97a48c177 (patch) | |
| tree | 8e882dc71185b1e1d7ea717340ab2dfd33a9fad8 | |
| parent | 04b7eb71b8e2a3ca0f4b0d73a21912930e821bd7 (diff) | |
| download | ydb-c516a81f5123c759856caf347f1f0ae97a48c177.tar.gz | |
auditlog: add DML log configuration
KIKIMR-18697
| -rw-r--r-- | ydb/core/grpc_services/grpc_request_check_actor.h | 15 | ||||
| -rw-r--r-- | ydb/core/protos/subdomains.proto | 7 |
2 files changed, 21 insertions, 1 deletions
diff --git a/ydb/core/grpc_services/grpc_request_check_actor.h b/ydb/core/grpc_services/grpc_request_check_actor.h index 2d44277a2b4..9ede1a768de 100644 --- a/ydb/core/grpc_services/grpc_request_check_actor.h +++ b/ydb/core/grpc_services/grpc_request_check_actor.h @@ -99,6 +99,7 @@ public: TBase::SetPeerName(peerName); InitializeAttributes(schemeData); TBase::SetDatabase(CheckedDatabaseName_); + InitializeAuditSettings(schemeData); } } @@ -346,8 +347,18 @@ private: } private: + void InitializeAuditSettings(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) { + const auto& auditSettings = schemeData.GetPathDescription().GetDomainDescription().GetAuditSettings(); + DmlAuditEnabled_ = auditSettings.GetEnableDmlAudit(); + DmlAuditExpectedSubjects_.insert(auditSettings.GetExpectedSubjects().begin(), auditSettings.GetExpectedSubjects().end()); + } + + bool IsAuditEnabledFor(const TString& userSID) const { + return DmlAuditEnabled_ && !DmlAuditExpectedSubjects_.contains(userSID); + }; + void AuditRequest(IRequestProxyCtx* requestBaseCtx, const TString& databaseName, const TString& userSID) const { - const bool dmlAuditEnabled = requestBaseCtx->IsAuditable(); + const bool dmlAuditEnabled = requestBaseCtx->IsAuditable() && IsAuditEnabledFor(userSID); if (dmlAuditEnabled) { AuditContextStart(requestBaseCtx, databaseName, userSID); @@ -495,6 +506,8 @@ private: bool SkipCheckConnectRigths_ = false; std::vector<std::pair<TString, TString>> Attributes_; const IFacilityProvider* FacilityProvider_; + bool DmlAuditEnabled_; + std::unordered_set<TString> DmlAuditExpectedSubjects_; }; // default behavior - attributes in schema diff --git a/ydb/core/protos/subdomains.proto b/ydb/core/protos/subdomains.proto index cfc5e1f89ee..cd51c78e2af 100644 --- a/ydb/core/protos/subdomains.proto +++ b/ydb/core/protos/subdomains.proto @@ -65,6 +65,11 @@ message TDomainState { optional bool DiskQuotaExceeded = 1; } +message TAuditSettings { + optional bool EnableDmlAudit = 1; + repeated string ExpectedSubjects = 2; +} + message TDomainDescription { optional fixed64 SchemeShardId_Depricated = 1; optional fixed64 PathId_Depricated = 2; @@ -91,6 +96,8 @@ message TDomainDescription { optional TDomainState DomainState = 16; optional NLoginProto.TSecurityState SecurityState = 20; + + optional TAuditSettings AuditSettings = 21; } message TSchemeQuotas { |