Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Comprehensive side effect audit logging#5419

Emyrk started this conversation inRFCs
Dec 14, 2022· 3 comments· 10 replies
Discussion options

Emyrk
Dec 14, 2022
Collaborator

Problem

Currently audit logging is initiated per route. This means that each route has at most1 audit event created.However, single http request can cause multiple changes to multiple entities. This is currently not being tracked.

Examples

Create workspace

Create workspace has multiple db changes;workspace,parameters,provisioner_job, andworkspace_build. Onlyworkspace is logged even though 4 different db changes are made.

These tables can be updated in other routes and generate different audit log events (egworkspace_build). But because it is a side effect in thecreate workspace route, it is not logged the same as it is inupdate workspace.

Question

Should we design/implement a way to audit log side effects?

Example

Create workspace

An audit log for the create workspace should be made, as that is theuser action. Side effects of the provisioner job and workspace build should also be logged so that they can be tracked in the context of the original user action.

Now aprovisioner can be searched to see what jobs it ran and see the original context for each job. Without the linking and side effect audit logs, these jobs are impossible to track the origin because only theworkspace diff and id are logged.

Proposal

Linked audit logs (parent -> child or primary -> secondary)

Allow creating linked audit logs with an optionalparent_id field. Setting aparent_id of an audit log allows relating to a primary action. In the UI only parent logs should be shown. Children logs should be hidden under some sort of "toggle" to see all side effects of a primary action.

We should not allow infinite nesting, and only allow 1 level of "children" logs. We do not want to build full tracing here.

Linked audit log table

A new audit log table for these secondary audit logs would be created.

audit_diffs- primary_log (id)- resource_id- resource_type (string)- diff- succeeded true/false

Other ideas?

You got any?

You must be logged in to vote

Replies: 3 comments 10 replies

Comment options

So glad you brought this up! It's definitely a pain point. Some color:

  1. As you may be aware, we doactually log workspace build jobs, but you're absolutely right: they're not really associated with theworkspace resource in any way. As a result, we are missing some information that would be nice to have, e.g.the IP address associated with the request.
  2. I'm running into this issue right now as I try to auditgroup_members, which exist in a table separate fromgroup. You can see some discussion in theopen PRwhere we consider the pros and cons of adding another auditable resource.

So pain points from my end are scaling (how many auditable resources do we really want) and UX (how many audit log lines do we really want; how can we make associations between log items clear; how do we handle filtering).

You must be logged in to vote
2 replies
@Emyrk
Comment options

EmyrkDec 14, 2022
Collaborator Author

Thank you for the extra context links.

A thought on secondary audit events is that many can be implemented on the persistence layer itself. So every change to the db will automatically drop these logs.

You bring up even more points of "secondary events" such as failed jobs. This would give the provisioner a way to drop an audit logs as a failed event relating to the primary user action.

This does bring up a question though. Should the provisioner log show in the UI as it's own row? Or underneath theCreate Workspac audit log row in some toggle?

@Kira-Pilot
Comment options

I like the idea of toggling because I actually think it might keep the UI simpler. What I would like to avoid is having to put in a bunch of filtering so users can make sense of the view - as@spikecurtis mentioned below, most filtering is probably going to be done in Splunk. IDK though - warrants more thought.

Comment options

In the RFC, we set thisas a requirement, and the proposed solution was to generate a RequestID that would tie together multiple logs if the request resulted in multiple actions.

You must be logged in to vote
8 replies
@Emyrk
Comment options

EmyrkDec 14, 2022
Collaborator Author

It does seem like we might have to store therequest_id or whatever ID is linking the audit logs in the db somewhere.

Originally I was thinking it can all go on thectx, but@Kira-Pilot brings up examples where that is not the case.

@spikecurtis
Comment options

I mean, we should already be storing it on the Audit Logs, but in the case that a request writes something to the database which then gets picked up by some background process (e.g. builds) then yes, the job that gets picked up would need the request ID.

@Emyrk
Comment options

EmyrkDec 16, 2022
Collaborator Author

I do like the idea ofrequest_id since it allows linking audit logs to other things too.

I still think there is value inprimary andsecondary, not just for a UI purpose. Theprimary action should be something a user can do in the product and makes intuitive sense.secondary audit logs should be granular and might only make sense to a more technical user.

@bpmct
Comment options

Have we done any investigation into how other products that often involve linked, async requests handle their audit logs (e.g. CI vendors (e.g. circleci), git providers (e.g. gitlab), or identify-based access tools (e.g. teleport)?

I'm personally curious if there are any patterns in how they link/relate logs, mostly to ensure that we don't do something bespoke that may be confusing for customers who are used to consuming logs from these other platforms (via the UI, consuming via the API, or ingesting into Splunk/StackDriver)

@Emyrk
Comment options

EmyrkDec 19, 2022
Collaborator Author

@bpmct I have not, but this is essentially tracing which is rather normal. The onlyflair is how we present it on our UI

Comment options

Emyrk
Dec 21, 2022
Collaborator Author

Another reason for this is we logLogin events for v1, but signing-out is logged as anapi-keydelete action. It would be better to be consistent and have alogout audit log, but the actual action deletes 1 or more api keys.

If we can link audit log actions, then we could have alogin andlogout event with the api key creation/deletes logged separately.

You must be logged in to vote
0 replies
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
RFCs
Labels
needs decisionNeeds a higher-level decision to be unblocked.design neededRequest for more beautyenterpriseEnterprise-license / premium functionality
4 participants
@Emyrk@spikecurtis@Kira-Pilot@bpmct
[8]ページ先頭
©2009-2025 Movatter.jp