redpanda-data · michael-redpanda · Nov 1, 2022 · Feb 7, 2025
diff --git a/src/v/pandaproxy/rest/proxy.cc b/src/v/pandaproxy/rest/proxy.cc
@@ -30,6 +30,8 @@ namespace pandaproxy::rest {
 
 using server = proxy::server;
 
+ss::logger rest_proxy_access("rest_proxy_access");
+
 const security::acl_principal principal{
   security::principal_type::ephemeral_user, "__pandaproxy"};
 
@@ -123,7 +125,8 @@ proxy::proxy(
       "header",
       "/definitions",
       _ctx,
-      json::serialization_format::application_json)
+      json::serialization_format::application_json,
+      rest_proxy_access)
   , _ensure_started{[this]() { return do_start(); }}
   , _controller(controller) {
     _inflight_config_binding.watch([this]() {

diff --git a/src/v/pandaproxy/schema_registry/handlers.cc b/src/v/pandaproxy/schema_registry/handlers.cc
@@ -29,6 +29,8 @@
 #include <seastar/core/future.hh>
 #include <seastar/core/sstring.hh>
 
+#include <absl/strings/escaping.h>
+
 #include <limits>
 
 namespace ppj = pandaproxy::json;
@@ -425,6 +427,7 @@ post_subject(server::request_t rq, server::reply_t rp) {
     try {
         auto unparsed = co_await ppj::rjson_parse(
           std::move(rq.req), post_subject_versions_request_handler<>{sub});
+        vlog(rq.service().access_logger().trace, "{}", unparsed.def);
         schema = co_await rq.service().schema_store().make_canonical_schema(
           std::move(unparsed.def), norm);
     } catch (const exception& e) {
@@ -465,6 +468,7 @@ post_subject_versions(server::request_t rq, server::reply_t rp) {
 
     auto unparsed = co_await ppj::rjson_parse(
       std::move(rq.req), post_subject_versions_request_handler<>{sub});
+    vlog(rq.service().access_logger().trace, "{}", unparsed.def);
 
     // If presented with a non-positive integer for version, set it to
     // invalid_schema_version so that the version number can be projected
@@ -522,6 +526,9 @@ ss::future<ctx_server<service>::reply_t> get_subject_versions_version(
           sub, version, inc_del);
     });
 
+    auto str = fmt::format("{}", get_res.schema);
+    vlog(rq.service().access_logger().trace, "{}", absl::CEscape(str));
+
     rp.rep->write_body(
       "json",
       ppj::rjson_serialize(post_subject_versions_version_response{
@@ -548,6 +555,9 @@ ss::future<ctx_server<service>::reply_t> get_subject_versions_version_schema(
     auto get_res = co_await rq.service().schema_store().get_subject_schema(
       sub, version, inc_del);
 
+    auto str = fmt::format("{}", get_res.schema);
+    vlog(rq.service().access_logger().trace, "{}", absl::CEscape(str));
+
     rp.rep->write_body(
       "json", ppj::as_body_writer(std::move(get_res.schema).def().raw()()));
     co_return rp;
@@ -653,6 +663,7 @@ compatibility_subject_version(server::request_t rq, server::reply_t rp) {
         .value_or(verbose::no)};
     auto unparsed = co_await ppj::rjson_parse(
       std::move(rq.req), post_subject_versions_request_handler<>{sub});
+    vlog(rq.service().access_logger().trace, "{}", unparsed.def);
 
     // Must read, in case we have the subject in cache with an outdated config
     co_await rq.service().writer().read_sync();

diff --git a/src/v/pandaproxy/schema_registry/service.cc b/src/v/pandaproxy/schema_registry/service.cc
@@ -42,11 +42,13 @@
 #include <seastar/coroutine/parallel_for_each.hh>
 #include <seastar/http/api_docs.hh>
 #include <seastar/http/exception.hh>
+#include <seastar/util/log.hh>
 #include <seastar/util/noncopyable_function.hh>
 
 namespace pandaproxy::schema_registry {
 
 static constexpr auto audit_svc_name = "Redpanda Schema Registry Service";
+ss::logger schema_registry_access{"schema_registry_access"};
 
 using server = ctx_server<service>;
 const security::acl_principal principal{
@@ -620,7 +622,8 @@ service::service(
       "schema_registry_header",
       "/schema_registry_definitions",
       _ctx,
-      json::serialization_format::schema_registry_v1_json)
+      json::serialization_format::schema_registry_v1_json,
+      schema_registry_access)
   , _store(store)
   , _writer(sequencer)
   , _controller(controller)
@@ -658,4 +661,6 @@ kafka::client::configuration& service::client_config() {
     return _client.local().config();
 }
 
+ss::logger& service::access_logger() { return schema_registry_access; }
+
 } // namespace pandaproxy::schema_registry
diff --git a/src/v/pandaproxy/schema_registry/service.h b/src/v/pandaproxy/schema_registry/service.h
@@ -59,6 +59,7 @@ class service : public ss::peering_sharded_service<service> {
     security::audit::audit_log_manager& audit_mgr() {
         return _audit_mgr.local();
     }
+    ss::logger& access_logger();
 
 private:
     ss::future<> do_start();

diff --git a/src/v/pandaproxy/server.cc b/src/v/pandaproxy/server.cc
@@ -22,13 +22,15 @@
 #include <seastar/http/function_handlers.hh>
 #include <seastar/http/reply.hh>
 #include <seastar/net/tls.hh>
+#include <seastar/util/log.hh>
 
 #include <fmt/chrono.h>
 #include <fmt/ranges.h>
 
 #include <charconv>
 #include <exception>
 #include <memory>
+#include <type_traits>
 
 namespace pandaproxy {
 
@@ -77,12 +79,14 @@ struct handler_adaptor : ss::httpd::handler_base {
       server::function_handler&& handler,
       ss::httpd::path_description& path_desc,
       const ss::sstring& metrics_group_name,
-      json::serialization_format exceptional_mime_type)
+      json::serialization_format exceptional_mime_type,
+      ss::logger& log)
       : _pending_requests(pending_requests)
       , _ctx(ctx)
       , _handler(std::move(handler))
       , _probe(path_desc, metrics_group_name)
-      , _exceptional_mime_type(exceptional_mime_type) {}
+      , _exceptional_mime_type(exceptional_mime_type)
+      , _log(log) {}
 
     ss::future<std::unique_ptr<ss::http::reply>> handle(
       const ss::sstring&,
@@ -112,6 +116,16 @@ struct handler_adaptor : ss::httpd::handler_base {
             co_return std::move(rp.rep);
         }
         auto sem_units = co_await ss::get_units(_ctx.mem_sem, req_size);
+
+        // Username is empty 'cos auth wrapper happens later :'()
+        auto access_log = ssx::sformat(
+          R"("{} {} {} {} HTTP/{}")",
+          rq.req->get_client_address().addr(),
+          rq.user.name,
+          rq.req->_method,
+          rq.req->_url,
+          rq.req->_version);
+
         if (_ctx.as.abort_requested()) {
             set_reply_unavailable(*rp.rep);
             rp.mime_type = _exceptional_mime_type;
@@ -133,6 +147,13 @@ struct handler_adaptor : ss::httpd::handler_base {
             rp = server::reply_t{exception_reply(ex), _exceptional_mime_type};
         }
         set_and_measure_response(rp);
+        vlog(
+          _log.trace,
+          "{} {} {}",
+          access_log,
+          static_cast<std::underlying_type_t<ss::http::reply::status_type>>(
+            rp.rep->_status),
+          rp.rep->_content.size());
         co_return std::move(rp.rep);
     }
 
@@ -141,6 +162,7 @@ struct handler_adaptor : ss::httpd::handler_base {
     server::function_handler _handler;
     probe _probe;
     json::serialization_format _exceptional_mime_type;
+    ss::logger& _log;
 };
 
 server::server(
@@ -150,15 +172,17 @@ server::server(
   const ss::sstring& header,
   const ss::sstring& definitions,
   context_t& ctx,
-  json::serialization_format exceptional_mime_type)
+  json::serialization_format exceptional_mime_type,
+  ss::logger& log)
   : _server(server_name)
   , _public_metrics_group_name(public_metrics_group_name)
   , _pending_reqs()
   , _api20(std::move(api20))
   , _has_routes(false)
   , _ctx(ctx)
   , _exceptional_mime_type(exceptional_mime_type)
-  , _probe{} {
+  , _probe{}
+  , _log(log) {
     _api20.set_api_doc(_server._routes);
     _api20.register_api_file(_server._routes, header);
     _api20.add_definitions_file(_server._routes, definitions);
@@ -177,7 +201,8 @@ void server::route(server::route_t r) {
       std::move(r.handler),
       r.path_desc,
       _public_metrics_group_name,
-      _exceptional_mime_type);
+      _exceptional_mime_type,
+      _log);
     r.path_desc.set(_server._routes, handler);
 }
 

diff --git a/src/v/pandaproxy/server.h b/src/v/pandaproxy/server.h
@@ -121,7 +121,8 @@ class server {
       const ss::sstring& header,
       const ss::sstring& definitions,
       context_t& ctx,
-      json::serialization_format exceptional_mime_type);
+      json::serialization_format exceptional_mime_type,
+      ss::logger& log);
 
     void route(route_t route);
     void routes(routes_t&& routes);
@@ -141,6 +142,7 @@ class server {
     context_t& _ctx;
     json::serialization_format _exceptional_mime_type;
     std::unique_ptr<server_probe> _probe;
+    ss::logger& _log;
 };
 
 template<typename service_t>