log exec for forensics

139a3ee3 · Mahmood Ali · f028c2cb · 139a3ee3 · 139a3ee3
Commit 139a3ee3 authored 6 years ago by Mahmood Ali
Hide whitespace changes
Inline Side-by-side

Showing

with 35 additions and 8 deletions
+35 -8
--- a/client/acl.go
+++ b/client/acl.go
@@ -70,38 +70,43 @@ func (c *cachedACLValue) Age() time.Duration {
 // ResolveToken is used to translate an ACL Token Secret ID into
 // an ACL object, nil if ACLs are disabled, or an error.
 func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
+	a, _, err := c.resolveTokenAndACL(secretID)
+	return a, err
+}
+
+func (c *Client) resolveTokenAndACL(secretID string) (*acl.ACL, *structs.ACLToken, error) {
 	// Fast-path if ACLs are disabled
 	if !c.config.ACLEnabled {
-		return nil, nil
+		return nil, nil, nil
 	}
 	defer metrics.MeasureSince([]string{"client", "acl", "resolve_token"}, time.Now())

 	// Resolve the token value
 	token, err := c.resolveTokenValue(secretID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if token == nil {
-		return nil, structs.ErrTokenNotFound
+		return nil, nil, structs.ErrTokenNotFound
 	}

 	// Check if this is a management token
 	if token.Type == structs.ACLManagementToken {
-		return acl.ManagementACL, nil
+		return acl.ManagementACL, token, nil
 	}

 	// Resolve the policies
 	policies, err := c.resolvePolicies(token.SecretID, token.Policies)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	// Resolve the ACL object
 	aclObj, err := structs.CompileACLObject(c.aclCache, policies)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
-	return aclObj, nil
+	return aclObj, token, nil
 }

 // resolveTokenValue is used to translate a secret ID into an ACL token with caching

--- a/client/alloc_endpoint.go
+++ b/client/alloc_endpoint.go
@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/nomad/acl"
 	cstructs "github.com/hashicorp/nomad/client/structs"
 	"github.com/hashicorp/nomad/helper"
+	"github.com/hashicorp/nomad/helper/uuid"
 	"github.com/hashicorp/nomad/nomad/structs"
 	nstructs "github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/plugins/drivers"
@@ -130,8 +131,29 @@ func (a *Allocations) exec(conn io.ReadWriteCloser) {
 		return
 	}

+	aclObj, token, err := a.c.resolveTokenAndACL(req.QueryOptions.AuthToken)
+	{
+		// log access
+		execID := uuid.Generate()
+		tokenName, tokenID := "", ""
+		if token != nil {
+			tokenName, tokenID = token.Name, token.AccessorID
+		}
+
+		a.c.logger.Info("task exec session starting",
+			"exec_id", execID,
+			"alloc_id", req.AllocID,
+			"task", req.Task,
+			"command", req.Cmd,
+			"tty", req.Tty,
+			"access_token_name", tokenName,
+			"access_token_id", tokenID,
+		)
+
+		defer a.c.logger.Info("task exec session ended", "exec_id", execID)
+	}
+
 	// Check read permissions
-	aclObj, err := a.c.ResolveToken(req.QueryOptions.AuthToken)
 	if err != nil {
 		handleStreamResultError(err, nil, encoder)
 		return