Audit API : Hints and Tricks Mehdi BELMEKKI, Consultancy Team Alfresco
Agenda Introduction Talk objectives Audit Trail Mechanism : before 3.2 Auditing Alfresco 4 Data Producers Data Extractors and Generators Audit Filters Audit Applications Demos Developments tricks Questions
Introduction Mehdi Belmekki Technical consultant, Professional Service Team 5 years experience : Born and grow-up in Community : Graduated Community Contributor High-school Partners : Graduated RD University of Alfresco: Undergraduate Consultant ACA/ACE Based in Paris, France Area of expertise : Alfresco Share / Surf Framework / Authentication Subsystems / Audit Implementation
Talk objectives Overview of Audit Mechanism and components Explain how the data is recorded and extracted/generated Create custom extractors and generators Be able to create a custom audit application Filter recorded data based on custom criteria Share some developments tricks
Audit Trail Mechanism
Audit Trail Mechanism : Configuration Global auditConfig.xml file, customizable by overriding the bean Disable audit for some service’s methods Enable auditing for all service’s methods Disable audit for the whole service
Audit Trail Mechanism
Audit Trail Mechanism : Limitations Records everything / Records nothing Unable to filter logged data (system user and operations) Customizable only by overriding beans No “clean” way to cleanup the audit recorded values Directly query the DB: To get the login history for a given user:
Audit Trail Mechanism : Conclusion Not easy to use or query Custom Audit Application Hibernate Coding Upgrade ? PITA Count recorded entries? Top read docs ? Top updated docs ? Get all recorded data and then count FTP / CIFS : not audited
Audit Trail Mechanism : TODO List The path to the key node ref Presence of Service/Method/Key Type/Key Path/Key NodeRef/Key Property filters Method arguments/return object Exception Summary (message, path, full stack serialised) Key Node properties before/after method invocation
Auditing Alfresco 4.X
Auditing in Alfresco 4: What’s new?
Auditing in Alfresco 4: Components Audit Interceptor Intercepts calls on an interface on its way to the target Access Auditor Intercept content-related events using behaviours Audit Component Record, Delete, Query, Enable/Disable audit, Extract Data, Generate Data Audit DAO Low level (DB) Select, Insert, Delete Audit Model Registry Store Audit Model Definition Detect duplicate application definitions Implemented as subsystem Expose global enablement property Expose application enablement property
Data Producers
Data producers AuditComponent Alfresco- api Alfresco- access Alfresco- node
Data producers : alfresco-api Audit and record values before and after the method invocation for all services/methods using AuditMethodInterceptor Low level summary Audit workflow instantiations User creations, deletion, updates Search params Etc…
Data Producers : Content Auditing (alfresco-access) High level auditing using AccessAuditor Login success, failures, logout Actions against nodes, properties, aspects, content, check in, versions Node create, move, copy, delete Property update Aspect add, remove Content read, update Check in, out and cancel Version create Transaction summary Independent of user interaction (use repository policies)
Data Producers : Content Auditing (alfresco-access)
Data producers : alfresco-node Used only to track/audit beforeDeleteNode policy
Data Extractors and Generators
Auditing Alfresco 4 : Data Extractors Java Interface Implements isSupported and extractData Extract data from auditable values, arguments, results, exceptions Out Of The Box provided Extractors : Node Name Node Type Null value Transparent E.g : sitename, node path, custom properties … NodeRef SiteService (bean) siteName
Auditing Alfresco 4 : Data Generators Java Interface Implements getData Extract data from NOTHING System state Thread Context Out Of The Box provided Extractors : Authenticated Person Authenticated User System Time Transaction ID Nothing getData AuthenticationService returns Username
Auditing Filters
Auditing Filters : GO || NO GO Storage Event 1 Audit Filter Audit Events Event 1Event 2
Auditing Filters : Used to reject auditing data we’ll never need/use Can specify both allowed/denied values to be audited Configured in Alfresco Global Properties audit.filter.alfresco-access.default.enabled=true audit.filter.alfresco-access.default.user=~System;.* audit.filter.alfresco-access.default.type=cm:folder;cm:content audit.filter.alfresco-access.default.path=/app:company_home/.* audit.filter.alfresco-access.transaction.user= audit.filter.alfresco-access.login.user=jblogs Can be configured for custom audit applications
Audit Applications
Recorded Values Audit Applications Raw Data NodeRef Node Poperties Action Path Mappings LogginApplication Data Generator UserName Simple Extractor Action Path Mappings SiteApplication Data Extractor SiteName Simple Extractor Action
Audit Applications : A “group-by” for audit data/events Answer the need to store/modify inbound data independently Application 1 stores siteName (extracted from NodeRef) Application 2 stores raw NodeRef Each application define how data is mapped, extracted, recorded without affecting data required by other applications Each of the audit logs can be enabled and disabled independently within the same server. Each audit application is defined in its own configuration file
Audit Applications : Login Audit Application
Audit Applications :
Demos : Share Audit Page in 10 minutes
Developments tricks
Developments tricks : Implement Top QueryCallBack AuditQueryCallbackImpl Override handleAuditEntry(entryId, app_name, user, time,values) E.g in webscript: entry.put(JSON_KEY_ENTRY_ID, entryId);… AuditQueryCallbackTopImpl E.g : if (countEntries.containsKey(node)) { countEntries.put(node, countEntries.get(node) + 1);} else {countEntries.put(node, 1); getAuditService().auditQuery(auditQueryCallback, parameters, 0); return auditQueryCallBack.getTopEntries();
Developments tricks : Migration from old mechanism to new one Use auditComponent.recordAuditValues method Migrated entries will have different transaction dates (rather than old original ones) The original dates can be stored/preserved in another AuditProperty
Questions ?