audit: Fixed audit misconfigured state logic

The audit log system requires that at the Redpanda cluster is configured to use SASL/SCRAM authentication. This is due to permissions applied to the audit log topic (only permitting the audit log system to produce to the audit log topic). When the internal k/client attempts to connect the the node and it reports "illegal_sasl_state", the audit system flags that the audit system is misconfigured. This prevents audit messages from being enqueued into the audit system and in turn ensures that the unaudited action is not performed (that's important). Originally, if the next error message seen is not "illegal_sasl_state" then the flag is unset. However, after reconnect the client may see "broker_not_available" and then "illegal_sasl_state". This commit changes the behavior to wait for neither "illegal_sasl_state" nor "broker_not_available" to be seen before unsetting the flag. Signed-off-by: Michael Boquard <michael@redpanda.com>
vbotbuildovich · Sep 10, 2024 · 51de7bb · 51de7bb
1 parent e94717d
commit 51de7bb
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/v/security/audit/audit_log_manager.cc b/src/v/security/audit/audit_log_manager.cc
@@ -297,7 +297,9 @@ ss::future<> audit_client::update_status(kafka::error_code errc) {
         }
     } else if (_last_errc == kafka::error_code::illegal_sasl_state) {
         /// The status changed from erraneous to anything else
-        if (errc != kafka::error_code::illegal_sasl_state) {
+        if (
+          errc != kafka::error_code::illegal_sasl_state
+          && errc != kafka::error_code::broker_not_available) {
             co_await _sink->update_auth_status(
               audit_sink::auth_misconfigured_t::no);
         }