-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathreadauditing.html
More file actions
334 lines (300 loc) · 15.4 KB
/
readauditing.html
File metadata and controls
334 lines (300 loc) · 15.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
<!doctype html>
<html lang="en">
<head>
<title>Read Auditing | Ebean</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="shortcut icon" href="/images/favicon.ico">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto|Source+Sans+Pro|Ubuntu&display=swap">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
<link rel="stylesheet" href="/css/reset3.css">
<link rel="stylesheet" href="/css/site3.css">
<link rel="stylesheet" href="/css/pygments3.css">
</head>
<body>
<div id="main">
<div id="banner">
<header>
<nav id="top">
<h1 id="breadcrumb">
<a class="nav-logo" href="/"><img src="/images/logo-200.png" height="35"></a> <a href="/docs">Documentation</a><span class="sep"> / </span><a href="/docs/features/">Features</a><span class="sep"> / </span><span class="last">Read Auditing</span>
</h1>
<ul>
<li><a onclick="toggleTheme();" title="switch dark light theme"><i class="fas fa-adjust"></i></a></li>
</ul>
</nav>
</header>
</div>
<div class="grid grid-docs">
<aside>
<nav class="side">
<ul>
<li class="nav0 ">
<a href="/docs/getting-started">Getting started</a>
</li>
<li class="nav0 ">
<a href="/docs/intro">Introduction</a>
</li>
<li class="nav0 active">
<a class="active" href="/docs">Documentation</a>
<ul>
<li class="nav1 ">
<a href="/docs/agents">AI Agents</a>
</li>
<li class="nav1 ">
<a href="/docs/best-practice">Best practice</a>
</li>
<li class="nav1 ">
<a href="/docs/query">Query</a>
</li>
<li class="nav1 ">
<a href="/docs/persist">Persist</a>
</li>
<li class="nav1 ">
<a href="/docs/transactions">Transactions</a>
</li>
<li class="nav1 ">
<a href="/docs/mapping">Mapping</a>
</li>
<li class="nav1 ">
<a href="/docs/ddl-generation">DDL & Migrations</a>
</li>
<li class="nav1 ">
<a href="/docs/logging">Logging</a>
</li>
<li class="nav1 ">
<a href="/docs/testing">Testing</a>
</li>
<li class="nav1 ">
<a href="/docs/read-replicas">Read Replicas</a>
</li>
<li class="nav1 ">
<a href="/docs/database">Database platforms</a>
</li>
<li class="nav1 ">
<a href="/docs/multi-database">Multiple databases</a>
</li>
<li class="nav1 ">
<a href="/docs/kotlin">Kotlin</a>
</li>
<li><a href="/docs/tuning">Tuning</a></li>
<li class="nav1 active">
<a class="active" href="/docs/features">Features</a>
<ul class="nav">
<li >
<a href="/docs/features/l2cache">L2 Cache</a>
</li>
<li >
<a href="/docs/features/elasticsearch">Elasticsearch</a>
</li>
<li >
<a href="/docs/features/json-in-db">@DbJson</a>
</li>
<li >
<a href="/docs/features/softdelete">Soft Delete</a>
</li>
<li >
<a href="/docs/features/encryption">Encryption</a>
</li>
<li >
<a href="/docs/features/who">@WhoModified / @WhoCreated</a>
</li>
<li >
<a href="/docs/features/history">SQL2011 History</a>
</li>
<li >
<a href="/docs/features/changelog">ChangeLog</a>
</li>
<li class="active">
<a class="active" href="/docs/features/readauditing">Read auditing</a>
<ul class="nav nav-scroll">
<li >
<a href="#limitations">Limitations</a>
</li>
<li >
<a href="#getting-started">Getting started</a>
</li>
<li >
<a href="#readAuditLogger">ReadAuditLogger</a>
</li>
<li >
<a href="#setDisableReadAuditing">Disable for query</a>
</li>
</ul>
</li>
<li >
<a href="/docs/features/eventlistening">Event Listening</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav0 ">
<a href="/support">Getting help</a>
</li>
<li class="nav0 ">
<a target="_blank" href="/apidoc/13">API Javadoc</a>
</li>
<li class="nav0 ">
<a href="/videos">Videos</a>
</li>
<li class="nav0 ">
<a href="/docs/upgrading">Upgrading</a>
</li>
<li class="nav0 ">
<a href="/docs/deprecated">Deprecated</a>
</li>
<li class="nav0 ">
<a href="/releases">Releases</a>
</li>
</ul>
</nav>
</aside>
<article>
<form action="https://www.google.com/search" method="get" class="inline-form">
<input type="hidden" name="as_sitesearch" value="ebean.io">
<div id="page-search">
<div class="input-group">
<input class="frm" name="q" id="searchinput" type="text" placeholder="Search... (press 's' to focus)" data-placeholder-focus="Search... (use '↑', '↓' and '⏎' to select results)" data-placeholder-blur="Search... (press 's' to focus)" autocomplete="off">
<div class="input-group-btn">
<button class="frm" type="submit"><i class="fas fa-search"></i></button>
</div>
</div>
<div id="page-search-results" style="display: none;">
<ul id="search-results-container" class="search-results"><li class=" active"><a href="/docs" title="Docs"><span style="color:#777;">Docs</span> Documentation </a></li><li class=""><small style="color:#999;">And 101 more...</small></li></ul>
</div>
</div>
</form>
<h2 id="overview">Overview</h2>
<p>
ReadAudit is a feature where read access is logged for auditing purposes. You can annotation entity
beans with @ReadAudit and then read events on these beans (queries and hits in L2 cache) are logged.
</p>
<p>
An implementation of the ReadAuditPrepare interface is typically required. The readAuditPrepare.prepare()
method is expected to populate the ReadEvent with user context information (user id, user ip address etc).
</p>
<h2 id="limitations">Limitations</h2>
<p>
SqlQuery queries are currently not logged to the read audit log (RawSql queries are included in read auditing).
</p>
<h2 id="getting-started">Getting started</h2>
<h3>Step 1: Add @ReadAudit</h3>
<p>
Add @ReadAudit annotation to all the entity beans that should have read auditing.
</p>
<div class="syntax java"><div class="highlight"><pre><span></span><span class="nd">@ReadAudit</span>
<span class="nd">@Entity</span>
<span class="nd">@Table</span><span class="o">(</span><span class="nx">name</span> <span class="o">=</span> <span class="s">"customer"</span><span class="o">)</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">Customer</span> <span class="o">{</span>
<span class="o">...</span>
</pre></div>
</div>
<h3>Step 2: Implement ReadAuditPrepare</h3>
<p>
If you skip this step and don't supply a ReadAuditPrepare implementation a 'no op' implementation
is used and the user context information (user id, user ip address etc) is left unpopulated.
</p>
<div class="syntax java"><div class="highlight"><pre><span></span><span class="kd">class</span> <span class="nc">MyReadAuditPrepare</span> <span class="kd">implements</span> <span class="n">ReadAuditPrepare</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">prepare</span><span class="o">(</span><span class="n">ReadEvent</span> <span class="n">event</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// get user context information typically from a</span>
<span class="c1">// ThreadLocal or similar mechanism</span>
<span class="n">String</span> <span class="n">currentUserId</span> <span class="o">=</span> <span class="o">...;</span>
<span class="n">event</span><span class="o">.</span><span class="na">setUserId</span><span class="o">(</span><span class="n">currentUserId</span><span class="o">);</span>
<span class="n">String</span> <span class="n">userIpAddress</span> <span class="o">=</span> <span class="o">...;</span>
<span class="n">event</span><span class="o">.</span><span class="na">setUserIpAddress</span><span class="o">(</span><span class="n">userIpAddress</span><span class="o">);</span>
<span class="n">event</span><span class="o">.</span><span class="na">setSource</span><span class="o">(</span><span class="s">"myApplicationName"</span><span class="o">);</span>
<span class="c1">// add arbitrary user context information to the</span>
<span class="c1">// userContext map</span>
<span class="n">event</span><span class="o">.</span><span class="na">getUserContext</span><span class="o">().</span><span class="na">put</span><span class="o">(</span><span class="s">"some"</span><span class="o">,</span> <span class="s">"thing"</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</pre></div>
</div>
<h3>Step 3: Register ReadAuditPrepare implementation</h3>
<p>
The implementation of ReadAuditPrepare can be automatically detected
if classpath scanning is on (just like entity beans are found etc). That is,
if scanning is on you don't need to explicitly register the ReadAuditPrepare implementation
and instead it will be found and instantiated.
</p>
<p>
If scanning is not used or the ReadAuditPrepare implementation has dependencies and its
instantiation should be performed externally to Ebean then register it explicitly on the
<code>DatabaseBuilder</code>.
</p>
<div class="syntax java"><div class="highlight"><pre><span></span><span class="c1">// example code explicitly registering the ReadAuditPrepare implementation</span>
<span class="n">MyReadAuditPrepare</span> <span class="n">readAuditPrepare</span> <span class="o">=</span> <span class="o">...;</span>
<span class="n">Database</span> <span class="n">database</span> <span class="o">=</span> <span class="n">Database</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span>
<span class="o">.</span><span class="na">loadFromProperties</span><span class="o">()</span>
<span class="o">.</span><span class="na">readAuditPrepare</span><span class="o">(</span><span class="n">readAuditPrepare</span><span class="o">)</span>
<span class="o">.</span><span class="na">build</span><span class="o">();</span>
</pre></div>
</div>
<h3>Step 4: Configure logging</h3>
<p>
The default implementation of ReadAuditLogger logs query plan entries to <code>io.ebean.ReadAuditQuery</code>
and read events to <code>io.ebean.ReadAudit</code>. The query plans contain the full SQL and having these
logged separately means that the read events don't need to include the full SQL executed and instead the bean type
and query key can be used to reference/lookup the associated SQL. This reduces the bulk/size of the read event logs.
</p>
<p>
Below in logback xml configuration is 2 appenders. <code>READAUDIT_QUERY_LOG</code> for logging
the query plans and <code>READAUDIT_LOG</code> for logging the read bean events.
</p>
<div class="syntax xml"><div class="highlight"><pre><span></span><span class="c"><!-- LOGBACK configuration: separate loggers for the read auditing --></span>
<span class="nt"><appender</span> <span class="na">name=</span><span class="s">"READAUDIT_QUERY_LOG"</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.rolling.RollingFileAppender"</span><span class="nt">></span>
<span class="nt"><File></span>log/readAuditQuery.log<span class="nt"></File></span>
<span class="nt"><rollingPolicy</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.rolling.TimeBasedRollingPolicy"</span><span class="nt">></span>
<span class="nt"><FileNamePattern></span>log/readAuditQuery.log.%d{yyyy-MM-dd}<span class="nt"></FileNamePattern></span>
<span class="nt"><MaxHistory></span>90<span class="nt"></MaxHistory></span>
<span class="nt"></rollingPolicy></span>
<span class="nt"><encoder</span> <span class="na">class=</span><span class="s">"ch.qos.logback.classic.encoder.PatternLayoutEncoder"</span><span class="nt">></span>
<span class="nt"><pattern></span>%d{HH:mm:ss.SSS} %msg%n<span class="nt"></pattern></span>
<span class="nt"></encoder></span>
<span class="nt"></appender></span>
<span class="nt"><appender</span> <span class="na">name=</span><span class="s">"READAUDIT_LOG"</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.rolling.RollingFileAppender"</span><span class="nt">></span>
<span class="nt"><File></span>log/readAudit.log<span class="nt"></File></span>
<span class="nt"><rollingPolicy</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.rolling.TimeBasedRollingPolicy"</span><span class="nt">></span>
<span class="nt"><FileNamePattern></span>log/readAudit.log.%d{yyyy-MM-dd}<span class="nt"></FileNamePattern></span>
<span class="nt"><MaxHistory></span>90<span class="nt"></MaxHistory></span>
<span class="nt"></rollingPolicy></span>
<span class="nt"><encoder</span> <span class="na">class=</span><span class="s">"ch.qos.logback.classic.encoder.PatternLayoutEncoder"</span><span class="nt">></span>
<span class="nt"><pattern></span>%d{HH:mm:ss.SSS} %msg%n<span class="nt"></pattern></span>
<span class="nt"></encoder></span>
<span class="nt"></appender></span>
<span class="nt"><logger</span> <span class="na">name=</span><span class="s">"io.ebean.ReadAuditQuery"</span> <span class="na">level=</span><span class="s">"TRACE"</span> <span class="na">additivity=</span><span class="s">"false"</span><span class="nt">></span>
<span class="nt"><appender-ref</span> <span class="na">ref=</span><span class="s">"READAUDIT_QUERY_LOG"</span><span class="nt">/></span>
<span class="nt"></logger></span>
<span class="nt"><logger</span> <span class="na">name=</span><span class="s">"io.ebean.ReadAudit"</span> <span class="na">level=</span><span class="s">"TRACE"</span> <span class="na">additivity=</span><span class="s">"false"</span><span class="nt">></span>
<span class="nt"><appender-ref</span> <span class="na">ref=</span><span class="s">"READAUDIT_LOG"</span><span class="nt">/></span>
<span class="nt"></logger></span>
</pre></div>
</div>
<h2 id="readAuditLogger">Optional: ReadAuditLogger implementation</h2>
<p>
If the default logging does not suit you can implement ReadAuditLogger to control how the
events are logged. Log to a message queue, direct to a data store etc.
</p>
<h2 id="setDisableReadAuditing">Query.setDisableReadAuditing()</h2>
<p>
For a specific query you can explicitly exclude it from the read auditing. The typical
use case for this is where the query is used internally in the application to populate a
cache or process bulk data and where you don't want that to go into the read audit log.
</p>
</article>
</div>
</div>
<script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>
<script src="/js/site3.js"></script>
<script src="/js/search3.js"></script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-75181644-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-75181644-1');
</script>
</body>
</html>