suvodeep-pyne opened a new pull request, #16807:
URL: https://github.com/apache/pinot/pull/16807
## Summary
This PR adds support for URL filter include patterns in the audit logging
framework, providing fine-grained control over which endpoints are audited. The
implementation follows a priority-based semantic where exclusion patterns
always take precedence over inclusion patterns.
## Changes
### Core Functionality
- **Added include pattern configuration** to `AuditConfig` with JSON
property `url.filter.include.patterns`
- **Refactored `AuditUrlPathFilter`** to support both include and exclude
patterns with proper priority handling:
- Exclusion patterns have highest priority (if excluded, never audit)
- Include patterns act as an allowlist when defined (only matching URLs
are audited)
- Default behavior: audit everything except excluded URLs when no include
patterns are specified
- **Updated `AuditRequestProcessor`** to use the new `shouldAudit()` method
for cleaner separation of concerns
- **Moved `AuditServiceBinder`** from controller-specific package to common
audit package for better reusability
### Priority Semantics
1. **Exclusion always wins**: URLs matching exclude patterns are never
audited, even if they match include patterns
2. **Include acts as allowlist**: When include patterns are defined, only
matching URLs are audited
3. **Default behavior**: Without include patterns, all non-excluded URLs are
audited
### Testing
Added comprehensive test coverage for the new `shouldAudit` method covering
all critical paths:
- Exclusion priority over inclusion
- Include patterns as allowlist behavior
- Default behavior without include patterns
- Empty pattern configurations
- Complex real-world pattern combinations
### Pattern Support
Both include and exclude patterns support:
- **Glob patterns**: `*`, `**`, `?`, `[abc]`, `{api,v1,v2}`
- **Regex patterns**: Prefixed with `regex:` for regular expressions
- **Multiple patterns**: Comma-separated list
## Example Configuration
```properties
# Only audit specific API endpoints
pinot.audit.controller.url.filter.include.patterns=/api/**,/v1/**,/v2/**
# But never audit health checks (exclusion wins)
pinot.audit.controller.url.filter.exclude.patterns=/api/health,/v1/metrics
```
## Testing
- All existing tests pass
- Added 5 new test methods specifically for `shouldAudit` logic
- Tests cover priority semantics, edge cases, and pattern combinations
## Impact
- Backward compatible - existing configurations work unchanged
- No performance impact - reuses existing PathMatcher logic
- Provides more flexible audit control for security and compliance
requirements
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
