Audit log: No permission to connect to the database (#12287)

Author: azevaykin

ydb/core/grpc_services/audit_log.cpp

@@ -55,5 +55,19 @@ void AuditLog(ui32 status, const TAuditLogParts& parts)
     );
 }
 
+void AuditLogConnectDbAccessDenied(const IRequestProxyCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken)
+{
+    if (::NKikimr::NAudit::AUDIT_LOG_ENABLED.load()) {
+        AuditLog(Ydb::StatusIds::UNAUTHORIZED, {
+            {"remote_address", NKikimr::NAddressClassifier::ExtractAddress(ctx->GetPeerName())},
+            {"subject", userSID},
+            {"sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue)},
+            {"database", database},
+            {"operation", ctx->GetRequestName()},
+            {"reason", "No permission to connect to the database"},
+        });
+    }
+}
+
 }
 }

ydb/core/grpc_services/audit_log.h

@@ -14,6 +14,7 @@ using TAuditLogParts = TVector<std::pair<TString, TString>>;
 
 // grpc "operations" log
 void AuditLog(ui32 status, const TAuditLogParts& parts);
+void AuditLogConnectDbAccessDenied(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID, const TString& sanitizedToken);
 
 }
 }

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -172,6 +172,7 @@ class TGrpcRequestCheckActor
         {
             auto [error, issue] = CheckConnectRight();
             if (error) {
+                AuditLogConnectDbAccessDenied(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID(), TBase::GetSanitizedToken());
                 ReplyUnauthorizedAndDie(*issue);
                 return;
             }
@@ -554,21 +555,21 @@ class TGrpcRequestCheckActor
             return {false, std::nullopt};
         }
 
-        const TString error = TStringBuilder()
-            << "User has no permission to perform query on this database"
-            << ", database: " << CheckedDatabaseName_
-            << ", user: " << TBase::GetUserSID()
-            << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName();
-        LOG_INFO(*TlsActivationContext, NKikimrServices::GRPC_PROXY_NO_CONNECT_ACCESS, "%s", error.c_str());
-
         Counters_->IncDatabaseAccessDenyCounter();
 
         if (!AppData()->FeatureFlags.GetCheckDatabaseAccessPermission()) {
             return {false, std::nullopt};
         }
 
-        LOG_INFO(*TlsActivationContext, NKikimrServices::GRPC_SERVER, "%s", error.c_str());
-        return {true, MakeIssue(NKikimrIssues::TIssuesIds::ACCESS_DENIED, error)};
+        const TString error = "No permission to connect to the database";
+        LOG_INFO_S(TlsActivationContext->AsActorContext(), NKikimrServices::GRPC_SERVER, 
+            error
+            << ": " << CheckedDatabaseName_
+            << ", user: " << TBase::GetUserSID()
+            << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName()
+        );
+
+        return {true, MakeIssue(NKikimrIssues::TIssuesIds::ACCESS_DENIED, error)};;
     }
 
     const TActorId Owner_;

ydb/services/ydb/ydb_login_ut.cpp

@@ -169,7 +169,7 @@ Y_UNIT_TEST_SUITE(TGRpcAuthentication) {
         UNIT_ASSERT_NO_EXCEPTION(token = loginProvider->GetAuthInfo());
         UNIT_ASSERT(!token.empty());
 
-        loginConnection.TestConnectRight(token, "User has no permission");
+        loginConnection.TestConnectRight(token, "No permission to connect to the database");
 
         loginConnection.Stop();
     }