Gate data proxy audit logging behind audit_logging server setting

9 years ago · 0fee7c863a
parent d9cbb994b8
commit 0fee7c863a
5 changed files with 22 additions and 11 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -47,6 +47,9 @@ root_url = %(protocol)s://%(domain)s:%(http_port)s/
 # Log web requests
 router_logging = false

+# This enables query request audit logging, output at warn level, default is false
+audit_logging = false
+
 # the path relative working path
 static_root_path = public

--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -49,6 +49,9 @@
 # Log web requests
 ;router_logging = false

+# This enables query request audit logging, output at warn level, default is false
+audit_logging = false
+
 # the path relative working path
 ;static_root_path = public

--- a/docs/sources/http_api/admin.md
+++ b/docs/sources/http_api/admin.md
@ -143,6 +143,7 @@ with Grafana admin permission.
        "protocol":"http",
        "root_url":"%(protocol)s://%(domain)s:%(http_port)s/",
        "router_logging":"true",
+        "audit_logging":"true",
        "static_root_path":"public"
      },
      "session":{
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@ -118,8 +118,6 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 		}
 	}

-	outputToAuditLog(ds.Type, c)
-
 	proxy := NewReverseProxy(ds, proxyPath, targetUrl)
 	proxy.Transport, err = ds.GetHttpTransport()
 	if err != nil {
@ -127,19 +125,23 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 		return
 	}

+	auditLog(ds.Type, c)
+
 	proxy.ServeHTTP(c.Resp, c.Req.Request)
 	c.Resp.Header().Del("Set-Cookie")
 }

-func outputToAuditLog(dataSourceType string, c *middleware.Context) {
-	auditLogger := log.New("data-proxy-audit", "userid", c.UserId, "orgid", c.OrgId, "username", c.Login)
+func auditLog(dataSourceType string, c *middleware.Context) {
+	if setting.AuditLogging {
+		auditLogger := log.New("data-proxy-audit", "userid", c.UserId, "orgid", c.OrgId, "username", c.Login)

-	var body string
-	if c.Req.Request.Body != nil {
-		buffer, _ := ioutil.ReadAll(c.Req.Request.Body)
-		c.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))
-		body = string(buffer)
-	}
+		var body string
+		if c.Req.Request.Body != nil {
+			buffer, _ := ioutil.ReadAll(c.Req.Request.Body)
+			c.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))
+			body = string(buffer)
+		}

-	auditLogger.Info("Proxying incoming request", "datasource", dataSourceType, "uri", c.Req.RequestURI, "method", c.Req.Request.Method, "body", body)
+		auditLogger.Warn("Proxying incoming request", "datasource", dataSourceType, "uri", c.Req.RequestURI, "method", c.Req.Request.Method, "body", body)
+	}
 }
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -65,6 +65,7 @@ var (
 	SshPort            int
 	CertFile, KeyFile  string
 	RouterLogging      bool
+	AuditLogging       bool
 	StaticRootPath     string
 	EnableGzip         bool
 	EnforceDomain      bool
@ -490,6 +491,7 @@ func NewConfigContext(args *CommandLineArgs) error {
 	HttpAddr = server.Key("http_addr").MustString(DEFAULT_HTTP_ADDR)
 	HttpPort = server.Key("http_port").MustString("3000")
 	RouterLogging = server.Key("router_logging").MustBool(false)
+	AuditLogging = server.Key("audit_logging").MustBool(false)
 	EnableGzip = server.Key("enable_gzip").MustBool(false)
 	EnforceDomain = server.Key("enforce_domain").MustBool(false)
 	StaticRootPath = makeAbsolute(server.Key("static_root_path").String(), HomePath)