EXT-1555 Add audit log on receive for unauthorized requests (#26099)

StekPerepolnen · web-flow · commit 8137e7dc5285 · 2025-10-01T18:32:25.000+02:00
diff --git a/ydb/core/mon/mon.cpp b/ydb/core/mon/mon.cpp
@@ -354,6 +354,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
                 return;
             }
         }
+        AuditCtx.LogOnReceived();
         SendRequest();
     }
 
@@ -487,7 +488,6 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
                 << " " << request->URL);
         }
         TString serializedToken = result && result->UserToken ? result->UserToken->GetSerializedToken() : TString();
-        AuditCtx.LogOnReceived();
         Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo(
             Container, serializedToken), IEventHandle::FlagTrackDelivery);
     }
@@ -514,6 +514,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
     void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {
         const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());
         AuditCtx.AddAuditLogParts(result.AuditLogParts);
+        AuditCtx.LogOnReceived();
         if (result.UserToken) {
             AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());
             Event->Get()->UserToken = result.UserToken->GetSerializedToken();
@@ -557,11 +558,11 @@ class THttpMonLegacyIndexRequest : public TActorBootstrapped<THttpMonLegacyIndex
 
     void Bootstrap() {
         AuditCtx.InitAudit(Event, NeedAudit);
+        AuditCtx.LogOnReceived();
         ProcessRequest();
     }
 
     void ProcessRequest() {
-        AuditCtx.LogOnReceived();
         Container.Page->Output(Container);
         NHttp::THttpOutgoingResponsePtr response = Event->Get()->Request->CreateResponseString(Container.Str());
         AuditCtx.LogOnCompleted(response);
@@ -1027,6 +1028,7 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori
                 return;
             }
         }
+        AuditCtx.LogOnReceived();
         SendRequest();
         Become(&THttpMonAuthorizedActorRequest::StateWork);
     }
@@ -1137,7 +1139,6 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori
                 << " " << request->Method
                 << " " << request->URL);
         }
-        AuditCtx.LogOnReceived();
         Send(new IEventHandle(Fields.Handler, SelfId(), Event->ReleaseBase().Release(), IEventHandle::FlagTrackDelivery, Event->Cookie));
     }
 
@@ -1161,6 +1162,7 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori
     void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {
         const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());
         AuditCtx.AddAuditLogParts(result.AuditLogParts);
+        AuditCtx.LogOnReceived();
         if (result.UserToken) {
             AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());
             Event->Get()->UserToken = result.UserToken->GetSerializedToken();
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_dml_through_http/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_dml_through_http/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/viewer/json/query"}
 {"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/viewer/json/query"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/viewer/json/query"}
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_kill_tablet_using_developer_ui/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_kill_tablet_using_developer_ui/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/tablets"}
 {"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/tablets"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/tablets"}
diff --git a/ydb/tests/functional/audit/canondata/test_canonical_records.test_restart_pdisk/audit_log.json b/ydb/tests/functional/audit/canondata/test_canonical_records.test_restart_pdisk/audit_log.json
@@ -1,4 +1,5 @@
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}
+{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}
 {"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}
 {"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}
 {"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/actors/pdisks/pdisk000000001"}

Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`354`	`354`	`return;`
`355`	`355`	`}`
`356`	`356`	`}`
	`357`	`+ AuditCtx.LogOnReceived();`
`357`	`358`	`SendRequest();`
`358`	`359`	`}`
`359`	`360`
`@@ -487,7 +488,6 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`487`	`488`	`<< " " << request->URL);`
`488`	`489`	`}`
`489`	`490`	`TString serializedToken = result && result->UserToken ? result->UserToken->GetSerializedToken() : TString();`
`490`		`- AuditCtx.LogOnReceived();`
`491`	`491`	`Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo(`
`492`	`492`	`Container, serializedToken), IEventHandle::FlagTrackDelivery);`
`493`	`493`	`}`
`@@ -514,6 +514,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor`
`514`	`514`	`void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {`
`515`	`515`	`const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());`
`516`	`516`	`AuditCtx.AddAuditLogParts(result.AuditLogParts);`
	`517`	`+ AuditCtx.LogOnReceived();`
`517`	`518`	`if (result.UserToken) {`
`518`	`519`	`AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());`
`519`	`520`	`Event->Get()->UserToken = result.UserToken->GetSerializedToken();`
`@@ -557,11 +558,11 @@ class THttpMonLegacyIndexRequest : public TActorBootstrapped<THttpMonLegacyIndex`
`557`	`558`
`558`	`559`	`void Bootstrap() {`
`559`	`560`	`AuditCtx.InitAudit(Event, NeedAudit);`
	`561`	`+ AuditCtx.LogOnReceived();`
`560`	`562`	`ProcessRequest();`
`561`	`563`	`}`
`562`	`564`
`563`	`565`	`void ProcessRequest() {`
`564`		`- AuditCtx.LogOnReceived();`
`565`	`566`	`Container.Page->Output(Container);`
`566`	`567`	`NHttp::THttpOutgoingResponsePtr response = Event->Get()->Request->CreateResponseString(Container.Str());`
`567`	`568`	`AuditCtx.LogOnCompleted(response);`
`@@ -1027,6 +1028,7 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori`
`1027`	`1028`	`return;`
`1028`	`1029`	`}`
`1029`	`1030`	`}`
	`1031`	`+ AuditCtx.LogOnReceived();`
`1030`	`1032`	`SendRequest();`
`1031`	`1033`	`Become(&THttpMonAuthorizedActorRequest::StateWork);`
`1032`	`1034`	`}`
`@@ -1137,7 +1139,6 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori`
`1137`	`1139`	`<< " " << request->Method`
`1138`	`1140`	`<< " " << request->URL);`
`1139`	`1141`	`}`
`1140`		`- AuditCtx.LogOnReceived();`
`1141`	`1142`	`Send(new IEventHandle(Fields.Handler, SelfId(), Event->ReleaseBase().Release(), IEventHandle::FlagTrackDelivery, Event->Cookie));`
`1142`	`1143`	`}`
`1143`	`1144`
`@@ -1161,6 +1162,7 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori`
`1161`	`1162`	`void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {`
`1162`	`1163`	`const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());`
`1163`	`1164`	`AuditCtx.AddAuditLogParts(result.AuditLogParts);`
	`1165`	`+ AuditCtx.LogOnReceived();`
`1164`	`1166`	`if (result.UserToken) {`
`1165`	`1167`	`AuditCtx.SetSubjectType(result.UserToken->GetSubjectType());`
`1166`	`1168`	`Event->Get()->UserToken = result.UserToken->GetSerializedToken();`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/viewer/json/query"}`
`2`	`3`	`{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/viewer/json/query"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"body": "{\"action\": \"execute-query\", \"base64\": false, \"database\": \"/Root\", \"query\": \"SELECT 42\", \"stats\": \"full\", \"syntax\": \"yql_v1\", \"tracingLevel\": 9}", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "schema=multi&base64=false", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/viewer/json/query"}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/tablets"}`
`2`	`3`	`{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/tablets"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"component": "monitoring", "method": "GET", "operation": "HTTP REQUEST", "params": "RestartTabletID=<canonized_tablet_id>", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/tablets"}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "other-user@builtin"}`
	`2`	`+{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "IN-PROCESS", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}`
`2`	`3`	`{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "403 Forbidden", "remote_address": "<canonized_remote_address>", "sanitized_token": "othe****ltin (27F910A9)", "status": "ERROR", "subject": "other-user@builtin", "url": "/actors/pdisks/pdisk000000001"}`
`3`	`4`	`{"component": "grpc-proxy", "database": "/Root", "operation": "request auth and check internal request", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "start_time": "<canonized_start_time>", "status": "IN-PROCESS", "subject": "root@builtin"}`
`4`	`5`	`{"body": "restartPDisk=&ignoreChecks=true", "component": "monitoring", "method": "POST", "operation": "HTTP REQUEST", "params": "/actors/pdisks/pdisk000000001", "reason": "Execute", "remote_address": "<canonized_remote_address>", "sanitized_token": "**** (B6C6F477)", "status": "IN-PROCESS", "subject": "root@builtin", "url": "/actors/pdisks/pdisk000000001"}`