From 35b411d067efb9ce5b1c40bcb28f0bd4224afc94 Mon Sep 17 00:00:00 2001
From: Alexandre Griffaut <alexandre.griffaut@corp.ovh.com>
Date: Thu, 25 May 2023 10:25:53 +0200
Subject: [PATCH] Allow audit logs

---
 Gemfile                             |  2 +-
 manifests/init.pp                   |  4 ++++
 manifests/params.pp                 |  4 ++++
 templates/conf/log4j.properties.erb | 19 +++++++++++++++++++
 templates/conf/zoo.cfg.erb          |  7 +++++++
 5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/Gemfile b/Gemfile
index 3ea957a..25f9d23 100644
--- a/Gemfile
+++ b/Gemfile
@@ -24,7 +24,7 @@ group :development do
   gem "puppet-module-posix-dev-r#{minor_version}", '~> 1.0',     require: false, platforms: [:ruby]
   gem "puppet-module-win-default-r#{minor_version}", '~> 1.0',   require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "puppet-module-win-dev-r#{minor_version}", '~> 1.0',       require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "voxpupuli-puppet-lint-plugins", '>= 3.0',                 require: false
+  gem "voxpupuli-puppet-lint-plugins", '~> 3.0',                 require: false
   gem "github_changelog_generator", '~> 1.15',                   require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')
   gem "overcommit",                                              require: false
   gem "librarian-puppet",                                        require: false
diff --git a/manifests/init.pp b/manifests/init.pp
index c2d649a..f28f6bb 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -114,6 +114,7 @@
   String                                     $zoo_dir                          = $zookeeper::params::zoo_dir,
   String                                     $zoo_main                         = $zookeeper::params::zoo_main,
   Boolean                                    $quorum_listen_on_all_ips         = $zookeeper::params::quorum_listen_on_all_ips,
+  Boolean                                    $audit_enable                     = $zookeeper::params::audit_enable,
   # log4j properties
   String                                     $environment_file                 = $zookeeper::params::environment_file,
   String                                     $log4j_prop                       = $zookeeper::params::log4j_prop,
@@ -125,6 +126,9 @@
   String                                     $tracefile_threshold              = $zookeeper::params::tracefile_threshold,
   String                                     $console_threshold                = $zookeeper::params::console_threshold,
   Hash[String,Hash[String,String]]           $extra_appenders                  = $zookeeper::params::extra_appenders,
+  String                                     $audit_threshold                  = $zookeeper::params::audit_threshold,
+  String                                     $audit_maxfilesize                = $zookeeper::params::audit_maxfilesize,
+  String                                     $audit_maxbackupindex             = $zookeeper::params::audit_maxbackupindex,
   # sasl options
   Hash[String, String]                       $sasl_users                       = $zookeeper::params::sasl_users,
   String                                     $keytab_path                      = $zookeeper::params::keytab_path,
diff --git a/manifests/params.pp b/manifests/params.pp
index 819fe44..d2316b9 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -154,6 +154,7 @@
   $ssl_quorum_protocol = 'TLSv1.2'
   $ssl_quorum = false
   $quorum_listen_on_all_ips = false
+  $audit_enable = false
   $port_unification = undef
   $datastore = '/var/lib/zookeeper'
   # datalogstore used to put transaction logs in separate location than snapshots
@@ -195,6 +196,9 @@
   $maxfilesize = '256MB'
   $maxbackupindex = 20
   $extra_appenders = {}
+  $audit_threshold = 'INFO'
+  $audit_maxfilesize = '10M'
+  $audit_maxbackupindex = '10'
 
   # sasl options
   $sasl_krb5 = true
diff --git a/templates/conf/log4j.properties.erb b/templates/conf/log4j.properties.erb
index fc7fc28..d154c68 100644
--- a/templates/conf/log4j.properties.erb
+++ b/templates/conf/log4j.properties.erb
@@ -34,6 +34,25 @@ zookeeper.tracelog.file=zookeeper_trace.log
 
 log4j.rootLogger=${zookeeper.root.logger}
 
+<% if @audit_enable -%>
+#
+# zk audit logging
+#
+audit.logger=INFO, RFAAUDIT
+zookeeper.auditlog.file=zookeeper_audit.log
+zookeeper.auditlog.threshold=<%= scope.lookupvar("zookeeper::audit_threshold") %>
+log4j.logger.org.apache.zookeeper.audit.Log4jAuditLogger=${audit.logger}
+log4j.additivity.org.apache.zookeeper.audit.Log4jAuditLogger=false
+log4j.appender.RFAAUDIT=org.apache.log4j.RollingFileAppender
+log4j.appender.RFAAUDIT.File=${zookeeper.log.dir}/${zookeeper.auditlog.file}
+log4j.appender.RFAAUDIT.layout=org.apache.log4j.PatternLayout
+log4j.appender.RFAAUDIT.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n
+log4j.appender.RFAAUDIT.Threshold=${zookeeper.auditlog.threshold}
+
+log4j.appender.RFAAUDIT.MaxFileSize=<%= scope.lookupvar("zookeeper::audit_maxfilesize") %>
+log4j.appender.RFAAUDIT.MaxBackupIndex=<%= scope.lookupvar("zookeeper::audit_maxbackupindex") %>
+<% end -%>
+
 #
 # console
 # Add "console" to rootlogger above if you want to use this
diff --git a/templates/conf/zoo.cfg.erb b/templates/conf/zoo.cfg.erb
index b20c855..d0a08df 100644
--- a/templates/conf/zoo.cfg.erb
+++ b/templates/conf/zoo.cfg.erb
@@ -236,3 +236,10 @@ metricsProvider.exportJvmInfo=<%= scope.lookupvar("zookeeper::metrics_provider_e
 #metricsProvider.httpPort=7000
 #metricsProvider.exportJvmInfo=true
 <% end -%>
+
+# ZooKeeper Audit Logs (supported since 3.6)
+<% if scope.lookupvar("zookeeper::audit_enable") %>
+audit.enable=true
+<% else -%>
+#audit.enable=
+<% end -%>
\ No newline at end of file