重要
このページの日本語コンテンツは古くなっている可能性があります。最新の英語版コンテンツをご覧になるには、こちらをクリックしてください。
監査ログイベントスキーマ¶
Confluent Cloud では、実際のアクションが発生したときは常にイベントプロデューサーによってイベントがトリガーされます。
Confluent Cloud のコンテンツとデータが変更された場合、または事前定義されたルールあるいはしきい値に一致した場合にイベントがトリガーされます。
このトピックでは、CloudEvents に基づく、Confluent Cloud の監査ログイベントスキーマについて説明します。
互換性ポリシー¶
Confluent がスキーマに対して行う変更は、互換性に影響しなければ予告なく行われます。互換性に影響する変更については、少なくとも 180 日前に広く通知され、その間は互換性が維持されます。このポリシーには例外があり、万一セキュリティに関する重大な脆弱性や機能上の欠陥が見つかった場合にはその限りではありません。最新の機能アップデートについては、「Confluent Cloud リリースノート」を参照してください。
次の変更については、後方互換性があると見なされます。
- 既存のモデルに新しいプロパティを追加する
- プロパティの順序を変更する
- 識別子のように opaque 文字列の長さまたは形式を変更する
- プロパティに指定可能な値を特定のセットに限定するような制約を既存のスキーマが課していない場合に、指定可能な値を新たに導入する
- 既存のイベントタイプのデータフォーマット制約とは無関係に、独自のデータフォーマット制約を持つ新しいイベントタイプを導入する
- null 値を持つプロパティや、スキーマにおいて明示的に必須として宣言されていないプロパティを省略する
messageプロパティに出現する値を省略する、またはその表現を変更する
監査ログイベントスキーマのファイル¶
更新日: 2022 年 4 月 22 日
次に、Confluent Cloud の監査ログイベントスキーマ全体を示します。
{
"$schema":"http://json-schema.org/draft-07/schema#",
"type":"object",
"description":"This is v1.2 of the Confluent cloud audit log event schema. It is based on CloudEvents. Links to the latest version can be found at https://docs.confluent.io/cloud/current/monitoring/audit-logging. Confluent will make non-breaking changes to the schema without advance notice. Breaking changes will be widely communicated at least 180 days in advance, and we will continue to maintain compatibility during this time. Exceptions to this policy apply in case of critical security vulnerabilities or functional defects. Check the above web page for links to our announcement channels and details about our compatibility policy.",
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"Uniquely identifies the event.",
"examples":[
"c72a3d0c-e6f3-4196-9b49-a835614452df"
]
},
"specversion":{
"type":"string",
"minLength":1,
"description":"The version of the CloudEvents specification which the event uses.",
"examples":[
"1.0"
]
},
"source":{
"type":"string",
"format":"uri-reference",
"minLength":1,
"description":"Identifies the context in which an event happened.",
"examples":[
"crn://confluent.cloud",
"crn://confluent.cloud/kafka=lkc-a1b2c",
"crn:///kafka=lkc-a1b2c"
]
},
"subject":{
"type":[
"string",
"null"
],
"minLength":1,
"description":"Identifies the resource that would be affected by the event.",
"examples":[
"crn:///kafka=lkc-a1b2c",
"crn://confluent.cloud/kafka=lkc-a1b2c",
"crn://confluent.cloud/kafka=lkc-xyz01/topic=departures",
"crn://confluent.cloud/kafka=lkc-xyz01/group=delivery-estimator"
]
},
"type":{
"type":"string",
"minLength":1,
"description":"Describes the type of event.",
"examples":[
"io.confluent.kafka.server/authentication",
"io.confluent.kafka.server/authorization",
"io.confluent.cloud/request"
]
},
"time":{
"type":[
"string",
"null"
],
"minLength":1,
"description":"Timestamp of when the occurrence happened. Adheres to RFC 3339.",
"examples":[
"2020-12-06T13:39:03Z",
"2020-12-06T13:39:03.123Z"
]
},
"datacontenttype":{
"type":[
"string",
"null"
],
"description":"Content type of the data value. Adheres to RFC 2046 format.",
"minLength":1,
"examples":[
"application/json"
]
},
"dataschema":{
"type":[
"string",
"null"
],
"format":"uri",
"minLength":1,
"description":"Identifies the schema that data adheres to. Currently unused."
},
"data":{
"type":"object",
"description":"Additional details about the audited occurrence.",
"properties":{
"serviceName":{
"type":"string",
"description":"The resource identifier of the service (the source) that received the request being logged.",
"examples":[
"crn://confluent.cloud",
"crn://confluent.cloud/kafka=lkc-a1b2c",
"crn:///kafka=lkc-a1b2c"
]
},
"resourceName":{
"type":"string",
"description":"The resource identifier of the target (subject) of the request",
"examples":[
"crn:///kafka=lkc-a1b2c",
"crn://confluent.cloud/kafka=lkc-a1b2c",
"crn://confluent.cloud/kafka=lkc-xyz01/topic=departures",
"crn://confluent.cloud/kafka=lkc-xyz01/group=delivery-estimator"
]
},
"request":{
"type":[
"object",
"null"
],
"description":"Unordered map of dynamically typed values.",
"additionalProperties":{
"type":[
"array",
"boolean",
"number",
"object",
"string",
"null"
]
}
},
"requestMetadata":{
"type":[
"object",
"null"
],
"description":"Unordered map of dynamically typed values.",
"additionalProperties":{
"type":[
"array",
"boolean",
"number",
"object",
"string",
"null"
]
}
},
"result":{
"type":[
"object",
"null"
],
"description":"Unordered map of dynamically typed values.",
"additionalProperties":{
"type":[
"array",
"boolean",
"number",
"object",
"string",
"null"
]
}
}
}
}
},
"required":[
"id",
"source",
"specversion",
"type"
],
"allOf":[
{
"if":{
"required":[
"type"
],
"properties":{
"type":{
"const":"io.confluent.kafka.server/authentication"
}
}
},
"then":{
"properties":{
"data":{
"type":"object",
"description":"Additional details about the authentication check.",
"properties":{
"methodName":{
"type":"string",
"description":"The type of request being logged.",
"examples":[
"kafka.Authentication"
]
},
"authenticationInfo":{
"type":"object",
"properties":{
"principal":{
"type":"string",
"description":"Identifies the authenticated principal.",
"examples":[
"User:12345",
"None:UNKNOWN_USER"
]
},
"metadata":{
"type":"object",
"properties":{
"mechanism":{
"type":"string",
"description":"Authentication mechanism.",
"examples":[
"SASL_SSL/PLAIN",
"SASL_SSL/OAUTHBEARER"
]
},
"identifier":{
"type":"string",
"description":"Identifies the numeric user ID or API key supplied by the requester.",
"examples":[
"MAIDSRFG53RXYTKR",
"12345"
]
}
}
}
}
},
"requestMetadata":{
"type":"object",
"properties":{
"client_address":{
"type":"string",
"description":"Ignore this field until further notice. The address of the client making the request. This field may be missing, or even if present, have an unhelpful value."
}
}
},
"result":{
"type":"object",
"properties":{
"status":{
"type":"string",
"examples":[
"SUCCESS",
"UNAUTHENTICATED"
]
},
"message":{
"type":"string",
"description":"Indicates the result status."
}
}
}
}
}
}
}
},
{
"if":{
"required":[
"type"
],
"properties":{
"type":{
"const":"io.confluent.kafka.server/authorization"
}
}
},
"then":{
"properties":{
"data":{
"type":"object",
"properties":{
"methodName":{
"type":"string",
"description":"The type of request being logged.",
"examples":[
"kafka.AlterConfigs",
"kafka.CreateAcls",
"kafka.CreateTopics",
"kafka.DeleteAcls",
"kafka.DeleteGroups"
]
},
"authenticationInfo":{
"type":"object",
"properties":{
"principal":{
"type":"string",
"description":"Identifies the authenticated principal that made the request.",
"examples":[
"User:12345"
]
}
}
},
"authorizationInfo":{
"type":"object",
"properties":{
"granted":{
"type":"boolean",
"description":"The result of the authorization check."
},
"operation":{
"$ref":"#/$defs/operation"
},
"resourceType":{
"type":"string",
"description":"The type of the resource being checked for authorization.",
"examples":[
"Cluster",
"Group",
"Topic"
]
},
"resourceName":{
"type":"string",
"description":"The resource name of the checked authorization rule.",
"examples":[
"kafka-cluster",
"delivery-estimator",
"departures"
]
},
"patternType":{
"type":"string",
"description":"The pattern, LITERAL or PREFIX, used to match the resource against the authorization rule.",
"examples":[
"LITERAL",
"PREFIX"
]
},
"aclAuthorization":{
"type":"object",
"description":"Details about an ACL rule.",
"properties":{
"permissionType":{
"$ref":"#/$defs/permissionType"
},
"host":{
"$ref":"#/$defs/host"
}
}
},
"rbacAuthorization":{
"type":"object",
"properties":{
"role":{
"$ref":"#/$defs/role"
},
"scope":{
"type":"object",
"properties":{
"outerScope":{
"type":"array",
"description":"The path elements in the outer scopes with the outermost first",
"items":{
"type":"string"
}
}
},
"description":"The scope the action was authorized in"
}
}
},
"superUserAuthorization":{
"$ref":"#/$defs/superUserAuthorization"
}
}
},
"request":{
"type":"object",
"properties":{
"clientId":{
"type":"string",
"description":"This is a user-supplied identifier for the client application. The user can use any identifier they like. This ID acts as a logical grouping across all requests from a particular client.",
"examples":[
"invoice-processor-admin",
"adminclient-42",
"the-replicator"
]
},
"correlationId":{
"type":"string",
"description":"This is a user-supplied integer. It will be passed back in the response by the server, unmodified. It is useful for matching request and response between the client and server."
}
}
},
"requestMetadata":{
"type":"object",
"properties":{
"client_address":{
"type":"string",
"description":"Ignore this field until further notice. The address of the client making the request. This field may be missing, or even if present, have an unhelpful value."
}
}
}
}
}
}
}
},
{
"if":{
"required":[
"type"
],
"properties":{
"type":{
"const":"io.confluent.cloud/request"
}
}
},
"then":{
"properties":{
"data":{
"type":"object",
"description":"Additional details about the cloud request",
"properties":{
"methodName":{
"type":"string",
"description":"The type of request being logged.",
"examples":[
"CreateKafkaCluster",
"GetAPIKeys",
"DeleteEnvironment",
"CreateConnector",
"DeleteAPIKey"
]
},
"cloudResources":{
"type":"array",
"description":"The resource(s) or collection(s) targeted in the operation.",
"items":{
"type":"object",
"properties":{
"scope":{
"type":"object",
"description":"Defines the scope of the action.",
"properties":{
"resources":{
"type":"array",
"description":"The list of cloud resources that define the scope of the action.",
"items":{
"$ref":"#/$defs/resource"
}
}
}
},
"resource":{
"$ref":"#/$defs/resource"
}
}
}
},
"resourceName":{
"type":"string",
"description":"The resource identifier of the target of the request for compatibility with other request types. Will be deprecated in future."
},
"authenticationInfo":{
"type":"object",
"description":"Information about the principal and the credentials used to prove its identity.",
"properties":{
"principal":{
"$ref":"#/$defs/principal",
"description":"Identifies the authenticated principal that is used for any authorization checks. Also identifies the authenticated principal that made the request, unless originalPrincipal is set."
},
"originalPrincipal":{
"$ref":"#/$defs/principal",
"description":"If set, indicates the original principal that made the request. Used for situations where one principal can assume the identity of a different principal."
},
"result":{
"description":"The result of authentication checks on the provided credentials.",
"enum":[
"UNSET",
"SUCCESS",
"FAILURE"
]
},
"errorMessage":{
"type":"string",
"description":"A short, human-readable description of the reason authentication failed.",
"examples":[
"Authentication Failed. Wrong Credentials"
]
},
"credentials":{
"$ref":"#/$defs/credentials"
}
}
},
"authorizationInfo":{
"type":"object",
"description":"The result of this authorization check.",
"properties":{
"result":{
"enum":[
"UNSET",
"ALLOW",
"DENY"
]
},
"operation":{
"$ref":"#/$defs/operation"
}
},
"oneOf":[
{
"superUserAuthorization":{
"$ref":"#/$defs/superUserAuthorization"
}
},
{
"aclAuthorization":{
"type":"object",
"description":"An ACL rule that resulted in the authorization check being denied or allowed.",
"properties":{
"permissionType":{
"$ref":"#/$defs/permissionType"
},
"host":{
"$ref":"#/$defs/host"
},
"resourceType":{
"$ref":"#/$defs/resourceType"
},
"patternType":{
"$ref":"#/$defs/patternType"
},
"patternName":{
"$ref":"#/$defs/patternName"
}
}
}
},
{
"rbacAuthorization":{
"type":"object",
"description":"A RBAC rule that resulted in the authorization check being allowed.",
"properties":{
"role":{
"$ref":"#/$defs/role"
},
"cloudScope":{
"type":"array",
"description":"The list of cloud resources involved in the scope of an action.",
"items":{
"type":"object",
"properties":{
"type":{
"enum":[
"ALL",
"ORGANIZATION",
"ENVIRONMENT",
"CLOUD_CLUSTER",
"USER",
"SERVICE_ACCOUNT",
"API_KEY",
"KAFKA_CLUSTER",
"TOPIC",
"GROUP",
"TRANSACTIONAL_ID",
"SCHEMA_REGISTRY",
"SUBJECT",
"VERSION",
"SCHEMA",
"KSQL_CLUSTER",
"QUERY",
"STREAM",
"TABLE",
"TYPE",
"VARIABLE",
"CONNECT_CLUSTER",
"CONNECTOR",
"SECRET",
"SECURITY_METADATA",
"SSO_CONNECTION",
"USER_INVITATION",
"MARKETPLACE_ENTITLEMENT",
"NETWORK",
"PEERING",
"PRIVATE_LINK_ACCESS",
"TRANSIT_GATEWAY_ATTACHMENT"
]
},
"resourceId":{
"type":"string",
"description":"Resource Identifier",
"examples":[
"sa-8191a",
"lkc-a1b2c"
]
}
}
}
},
"resourceType":{
"$ref":"#/$defs/resourceType"
},
"patternType":{
"$ref":"#/$defs/patternType"
},
"patternName":{
"$ref":"#/$defs/patternName"
}
}
}
}
]
},
"requestMetadata":{
"type":"object",
"properties":{
"connectionId":{
"type":"string",
"description":"Uniquely identifies an authenticated connection. Only present for successfully authenticated connections."
},
"requestId":{
"type":"array",
"description":"Uniquely identifies a client request.",
"items":{
"type":"string"
}
},
"clientAddress":{
"type":"array",
"description":"Network address of the remote client.",
"items":{
"type":"object",
"properties":{
"ip":{
"type":"string",
"description":"IPv4 or IPv6 address.",
"anyOf":[
{
"format":"ipv4"
},
{
"format":"ipv6"
}
]
},
"port":{
"type":"number",
"description":"Port number, if known."
}
}
}
},
"clientId":{
"type":"string",
"description":"A client-provided identifier, logged for correlation, as a courtesy to the client."
},
"clientTraceId":{
"type":"string",
"description":"A client-provided identifier, logged for correlation, as a courtesy to the client."
}
}
},
"request":{
"type":"object",
"description":"Describes additional audit-worthy details about the request.",
"properties":{
"accessType":{
"description":"The type of the request",
"enum":[
"UNKNOWN",
"READ_ONLY",
"MODIFICATION"
]
},
"data":{
"type":[
"object",
"null"
],
"description":"Audit-worthy details from the request. There are currently no guarantees of backwards-compatibility on the contents of this field. The contents of this field should not be relied on for any programmatic access.",
"additionalProperties":{
"type":[
"array",
"boolean",
"number",
"object",
"string",
"null"
]
}
}
}
},
"result":{
"type":"object",
"description":"Describes the result of the overall operation (i.e. success, failure, etc) along with any audit-worthy details. For example, this field contains the resource identifier of a newly created resource from a CREATE request.",
"properties":{
"status":{
"description":"The status of the result.",
"enum":[
"UNSET",
"SUCCESS",
"FAILURE"
]
},
"data":{
"type":[
"object",
"null"
],
"description":"Audit-worthy details from the operation's result. There are currently no guarantees of backwards-compatibility on the contents of this field. The contents of this field should not be relied on for any programmatic access.",
"additionalProperties":{
"type":[
"array",
"boolean",
"number",
"object",
"string",
"null"
]
}
}
}
}
}
}
}
}
}
],
"$defs":{
"user":{
"type":"object",
"properties":{
"resourceId":{
"type":"string",
"description":"Resource identifier",
"examples":[
"u-8191a"
]
}
}
},
"operation":{
"type":"string",
"description":"Identifies the operation being checked for authorization.",
"examples":[
"Alter",
"AlterConfigs",
"Create",
"Delete",
"DescribeConfigs"
]
},
"resourceType":{
"type":"string",
"description":"The type of the resource being checked for authorization.",
"examples":[
"Cluster",
"Group",
"Topic"
]
},
"resourceName":{
"type":"string",
"description":"The resource name of the checked authorization rule.",
"examples":[
"kafka-cluster",
"delivery-estimator",
"departures"
]
},
"patternType":{
"type":"string",
"description":"The pattern, LITERAL or PREFIX, used to match the resource against the authorization rule.",
"examples":[
"LITERAL",
"PREFIX"
]
},
"patternName":{
"type":"string",
"description":"The resource name or prefix matched by this ACL rule.",
"examples":[
"*"
]
},
"permissionType":{
"type":"string",
"examples":[
"ALLOW",
"DENY"
]
},
"host":{
"type":"string",
"description":"Host to which the ACL rule applies, usually wildcard (*).",
"examples":[
"*"
]
},
"role":{
"type":"string",
"description":"A role that the principal has, granting authorization to perform the operation on the resource.",
"examples":[
"OrganizationAdmin",
"EnvironmentAdmin",
"CloudClusterAdmin",
"MetricsViewer"
]
},
"resource":{
"type":"object",
"description":"The actual resource affected within the identified scope.",
"properties":{
"type":{
"enum":[
"ALL",
"ORGANIZATION",
"ENVIRONMENT",
"CLOUD_CLUSTER",
"USER",
"SERVICE_ACCOUNT",
"API_KEY",
"KAFKA_CLUSTER",
"TOPIC",
"GROUP",
"TRANSACTIONAL_ID",
"SCHEMA_REGISTRY",
"SUBJECT",
"VERSION",
"SCHEMA",
"KSQL_CLUSTER",
"QUERY",
"STREAM",
"TABLE",
"TYPE",
"VARIABLE",
"CONNECT_CLUSTER",
"CONNECTOR",
"SECRET",
"SECURITY_METADATA",
"SSO_CONNECTION",
"USER_INVITATION",
"MARKETPLACE_ENTITLEMENT",
"NETWORK",
"PEERING",
"PRIVATE_LINK_ACCESS",
"TRANSIT_GATEWAY_ATTACHMENT"
]
},
"resourceId":{
"type":"string",
"description":"Resource Identifier",
"examples":[
"sa-8191a",
"lkc-a1b2c"
]
}
}
},
"principal":{
"type":"object",
"properties":{
"email":{
"type":"string",
"description":"Email address of the principal.",
"examples":[
"abc@confluent.io"
]
},
"confluentUser":{
"$ref":"#/$defs/user"
},
"confluentServiceAccount":{
"$ref":"#/$defs/user"
},
"externalAccount":{
"type":"object",
"properties":{
"namespace":{
"type":"array",
"items":{
"type":"object",
"properties":{
"type":{
"type":"string",
"examples":[
"idp",
"tenant"
]
},
"id":{
"type":"string",
"examples":[
"confluent.cloud",
"a2efbdb2-af88-4b38-99a4-9a1e9d700963"
]
}
}
}
},
"subject":{
"type":"string",
"description":"Identity of the requesting party, known to the IdP.",
"examples":[
"bilbo.baggins",
"harry.potter"
]
}
}
}
},
"oneOf":[
{
"required":[
"confluentServiceAccount"
]
},
{
"required":[
"confluentUser"
]
},
{
"required":[
"externalAccount"
]
}
]
},
"credentials":{
"type":"object",
"description":"Information sent to prove the identity of the principal.",
"oneOf":[
{
"idSecretCredentials":{
"type":"object",
"properties":{
"credentialId":{
"type":"string",
"description":"Identifies the credential",
"examples":[
"bilbo.baggins",
"harry.potter"
]
}
}
}
},
{
"idTokenCredentials":{
"type":"object",
"properties":{
"type":{
"type":"string",
"description":"The type of the Id Token Credential. JWT for the foreseeable future.",
"examples":[
"JWT"
]
},
"issuer":{
"type":"string",
"description":"Who signed the token."
},
"subject":{
"type":"string",
"description":"Identifies the principal."
},
"audience":{
"type":"array",
"items":{
"type":"string"
}
}
}
}
},
{
"certificateCredentials":{
"type":"object",
"properties":{
"dname":{
"type":"object",
"description":"The principal identified by this certificate.",
"properties":{
"cn":{
"type":"string",
"description":"Common name"
},
"ou":{
"type":"string",
"description":"Organizational unit"
},
"o":{
"type":"string",
"description":"Organization"
},
"l":{
"type":"string",
"description":"Locality"
},
"st":{
"type":"string",
"description":"State or province"
},
"c":{
"type":"string",
"description":"Country"
}
}
}
}
}
},
{
"delegateCredentials":{
"type":"object",
"properties":{
"delegatePrincipal":{
"type":"object",
"description":"Identifies the authenticated principal that made the request.",
"properties":{
"email":{
"type":"string",
"description":"Email address of the principal.",
"examples":[
"abc@confluent.io"
]
},
"oneOf":[
{
"confluentUser":{
"type":"object",
"properties":{
"resourceId":{
"type":"string",
"description":"Resource identifier",
"examples":[
"u-8191a"
]
}
}
}
},
{
"confluentServiceAccount":{
"type":"object",
"properties":{
"resourceId":{
"type":"string",
"description":"Resource identifier",
"examples":[
"u-8191a"
]
}
}
}
},
{
"externalAccount":{
"type":"object",
"properties":{
"namespace":{
"type":"array",
"items":{
"type":"object",
"properties":{
"type":{
"type":"string",
"examples":[
"idp",
"tenant"
]
},
"id":{
"type":"string",
"examples":[
"confluent.cloud",
"a2efbdb2-af88-4b38-99a4-9a1e9d700963"
]
}
}
}
},
"subject":{
"type":"string",
"description":"Identity of the requesting party, known to the IdP.",
"examples":[
"bilbo.baggins",
"harry.potter"
]
}
}
}
}
]
}
},
"delegateCredentials":{
"$ref":"#/$defs/credentials"
}
}
}
}
],
"properties":{
"mechanism":{
"enum":[
"UNSET",
"SASL_PLAIN",
"SASL_SCRAM",
"SASL_OAUTHBEARER",
"SASL_GSSAPI",
"MTLS",
"HTTP_BASIC",
"HTTP_BEARER"
]
}
}
},
"superUserAuthorization":{
"type":"boolean",
"description":"If true, access was authorized because principal is a super-user."
}
}
}