Audit log: No permission to connect to the database

ydb/core/grpc_services/audit_log.cpp

@@ -35,31 +35,6 @@ void AuditLogConn(const IRequestProxyCtx* ctx, const TString& database, const TS
     );
 }
 
-void AuditLogAccessDenied(const IRequestProxyCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken)
-{
-    static const TString GrpcConnComponentName = "grpc-access-denied";
-
-    const TString remoteAddress = NKikimr::NAddressClassifier::ExtractAddress(ctx->GetPeerName());
-
-    AUDIT_LOG(
-        AUDIT_PART("component", GrpcConnComponentName)
-
-        AUDIT_PART("remote_address", remoteAddress)
-        AUDIT_PART("subject", userSID)
-        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
-        AUDIT_PART("database", database)
-        AUDIT_PART("operation", ctx->GetRequestName())
-    );
-
-    LOG_INFO_S(TlsActivationContext->AsActorContext(), NKikimrServices::GRPC_SERVER, "AUDIT: "
-        << "User has no permission to perform query on this database " << database 
-        << ", subject " << userSID
-        << ", sanitized_token " << (!sanitizedToken.empty() ? sanitizedToken : EmptyValue)
-        << ", operation " << ctx->GetRequestName()
-        << ", remote_address " << remoteAddress
-    );
-}
-
 void AuditLog(ui32 status, const TAuditLogParts& parts)
 {
     static const TString GrpcProxyComponentName = "grpc-proxy";
@@ -80,5 +55,19 @@ void AuditLog(ui32 status, const TAuditLogParts& parts)
     );
 }
 
+void AuditLogConnectDbAccessDenied(const IRequestProxyCtx* ctx, const TString& database, const TString& userSID, const TString& sanitizedToken)
+{
+    if (::NKikimr::NAudit::AUDIT_LOG_ENABLED.load()) {
+        AuditLog(Ydb::StatusIds::UNAUTHORIZED, {
+            {"remote_address", NKikimr::NAddressClassifier::ExtractAddress(ctx->GetPeerName())},
+            {"subject", userSID},
+            {"sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue)},
+            {"database", database},
+            {"operation", ctx->GetRequestName()},
+            {"reason", "No permission to connect to the database"},
+        });
+    }
+}
+
 }
 }

ydb/core/grpc_services/audit_log.h

@@ -9,12 +9,12 @@ class IRequestCtxMtSafe;
 
 // grpc "connections" log
 void AuditLogConn(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID, const TString& sanitizedToken);
-void AuditLogAccessDenied(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID, const TString& sanitizedToken);
 
 using TAuditLogParts = TVector<std::pair<TString, TString>>;
 
 // grpc "operations" log
 void AuditLog(ui32 status, const TAuditLogParts& parts);
+void AuditLogConnectDbAccessDenied(const IRequestProxyCtx* reqCtx, const TString& database, const TString& userSID, const TString& sanitizedToken);
 
 }
 }

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -170,10 +170,10 @@ class TGrpcRequestCheckActor
         }
 
         {
-            bool error = CheckConnectRight();
+            auto [error, issue] = CheckConnectRight();
             if (error) {
-                AuditLogAccessDenied(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID(), TBase::GetSanitizedToken());
-                ReplyUnauthorizedAndDie();
+                AuditLogConnectDbAccessDenied(GrpcRequestBaseCtx_, CheckedDatabaseName_, TBase::GetUserSID(), TBase::GetSanitizedToken());
+                ReplyUnauthorizedAndDie(*issue);
                 return;
             }
         }
@@ -431,8 +431,8 @@ class TGrpcRequestCheckActor
     }
 
 private:
-    void ReplyUnauthorizedAndDie() {
-        GrpcRequestBaseCtx_->RaiseIssue(MakeIssue(NKikimrIssues::TIssuesIds::ACCESS_DENIED));
+    void ReplyUnauthorizedAndDie(const NYql::TIssue& issue) {
+        GrpcRequestBaseCtx_->RaiseIssue(issue);
         GrpcRequestBaseCtx_->ReplyWithYdbStatus(Ydb::StatusIds::UNAUTHORIZED);
         GrpcRequestBaseCtx_->FinishSpan();
         PassAway();
@@ -510,14 +510,14 @@ class TGrpcRequestCheckActor
         PassAway();
     }
 
-    bool CheckConnectRight() {
+    std::pair<bool, std::optional<NYql::TIssue>> CheckConnectRight() {
         if (SkipCheckConnectRights_) {
             LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_PROXY_NO_CONNECT_ACCESS,
                         "Skip check permission connect db, AllowYdbRequestsWithoutDatabase is off, there is no db provided from user"
                         << ", database: " << CheckedDatabaseName_
                         << ", user: " << TBase::GetUserSID()
                         << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
-            return false;
+            return {false, std::nullopt};
         }
 
         if (TBase::IsUserAdmin()) {
@@ -526,7 +526,7 @@ class TGrpcRequestCheckActor
                         << ", database: " << CheckedDatabaseName_
                         << ", user: " << TBase::GetUserSID()
                         << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
-            return false;
+            return {false, std::nullopt};
         }
 
         if (!TBase::GetSecurityToken()) {
@@ -536,7 +536,7 @@ class TGrpcRequestCheckActor
                             << ", database: " << CheckedDatabaseName_
                             << ", user: " << TBase::GetUserSID()
                             << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
-                return false;
+                return {false, std::nullopt};
             }
         }
 
@@ -546,22 +546,31 @@ class TGrpcRequestCheckActor
                         << ", database: " << CheckedDatabaseName_
                         << ", user: " << TBase::GetUserSID()
                         << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
-            return false;
+            return {false, std::nullopt};
         }
 
         const ui32 access = NACLib::ConnectDatabase;
         const auto& parsedToken = TBase::GetParsedToken();
         if (parsedToken && SecurityObject_->CheckAccess(access, *parsedToken)) {
-            return false;
+            return {false, std::nullopt};
         }
 
         Counters_->IncDatabaseAccessDenyCounter();
 
         if (!AppData()->FeatureFlags.GetCheckDatabaseAccessPermission()) {
-            return false;
+            return {false, std::nullopt};
         }
 
-        return true;
+        const TString error = "No permission to connect to the database";
+        LOG_INFO_S(TlsActivationContext->AsActorContext(), NKikimrServices::GRPC_SERVER, 
+            "AUDIT: "
+            << error
+            << ": " << CheckedDatabaseName_
+            << ", user: " << TBase::GetUserSID()
+            << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName()
+        );
+
+        return {true, MakeIssue(NKikimrIssues::TIssuesIds::ACCESS_DENIED, error)};;
     }
 
     const TActorId Owner_;

ydb/services/ydb/ydb_login_ut.cpp

@@ -169,7 +169,7 @@ Y_UNIT_TEST_SUITE(TGRpcAuthentication) {
         UNIT_ASSERT_NO_EXCEPTION(token = loginProvider->GetAuthInfo());
         UNIT_ASSERT(!token.empty());
 
-        loginConnection.TestConnectRight(token, "Access denied");
+        loginConnection.TestConnectRight(token, "No permission to connect to the database");
 
         loginConnection.Stop();
     }