Clients can corrupt the audit log

As discussed in this PR, it is possible for a client (authenticated or not) to "SPAM" and corrupt the audit log.

As far as I can tell, the following works on any server, because the digest provider is always active and accepts (almost) arbitrary strings:

addauth digest veryimportant@EXAMPLE.COM:whatever
create /dangerousnode

Note that "whatever" in the example above doesn't have to be a known or valid password. Similarly, the string to the left of : is not validated in any way; it is just copied as-is into the Id associated with the connection.

This results in entries akin to the following in the audit log:

2020-10-15 09:40:43,173 INFO audit.Log4jAuditLogger: session=0x100eefe34a40000	user=zkcli@CROSSTWINE.COM,veryimportant@EXAMPLE.COM,0:0:0:0:0:0:0:1	ip=0:0:0:0:0:0:0:1	operation=create	znode=/dangerousnode	znode_type=persistent	result=success

Note how the scheme is not mentioned; all that is visible is the "user name" part of the Id.

This could lead an hypothetical audit application to conclude that it was okay for that connection to create /dangerousnode because it was "seriously" authenticated as veryimportant@EXAMPLE.COM.

It is possible to use that loophole to corrupt the audit log in various ways, including creating fake entries. It is not even necessary to use a dedicated client; Ctrl+Q Ctrl+J can cause literal newlines to be inserted via zkCli.sh:

addauth digest "fakeid^JTHIS REALLY SHOULDN'T BE THERE:whatever"

The result is a "two-line entry" in the audit log:

2020-10-16 21:42:06,546 INFO audit.Log4jAuditLogger: session=0x100f6b85af80001 user="fakeid
THIS REALLY SHOULDN'T BE THERE,zkcli@CROSSTWINE.COM,0:0:0:0:0:0:0:1 ip=0:0:0:0:0:0:0:1	operation=create	znode=/yolo4	znode_type=persistent	result=success

I would suggest:

1. Adding a setting which allows disabling the digest provider on production servers;
2. Filtering (or quoting/escaping/censoring) the user names/principals which are written to the audit log (by scheme, or perhaps by dangerous characters).