Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

clean up#5357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
Kira-Pilot wants to merge2 commits intomainfromaudit-group-users/kira-pilot
Closed

clean up#5357

Kira-Pilot wants to merge2 commits intomainfromaudit-group-users/kira-pilot

Conversation

Kira-Pilot
Copy link
Member

@Kira-PilotKira-Pilot commentedDec 8, 2022
edited
Loading

resolves#4736

Previously, we were logging audit entries for updates to the user table, but not to the user members table. This meant that if someone updated a group by adding or removing members, these changes weren't logged.

This PR adds member logging. We keep the diff for members under the Group resource as this is most intuitive for the auditor.

Screen Shot 2022-12-08 at 11 07 47 AM

NOTE: unsure why theTestAuthorizeAllEndpoints test is failing - any ideas?

}
} else {
logger.Warn(logCtx, "marshal group member diff", slog.Error(err))
}
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is there a better way to log here so that I don't have to pass throughlogCtx andlogger?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nah, it's on purpose though. The context can potentially hold fields that the logger can use.

Kira-Pilot reacted with thumbs up emoji
HasGroupMemberChange: hasGroupMemberChange,
GroupMemberLists: wriBytes,
})

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

A pain point here is that if this request fails sometime before line 115, we won't get an audit log signifying the failure. I'm not sure how to get around this, given we want to pass some computational stuff in (GroupMemberLists).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What if instead of usingdatabase.Group here we instead made[]database.GroupMember auditable? I think this might solve a lot of the jankiness of needing hardcoded stuff for group members.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This might take some work adding support for slices in the diff code.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@coadler I was trying to avoid having another auditable resource; however, I'm down to make the change because I agree - it would simplify a lot. In general, do you have any opinions about how many auditable resources we should have? I don't want to bloat the feature but maybe that's less of a concern than I think it is.

@Kira-PilotKira-Pilot requested a review froma teamDecember 9, 2022 15:17
HasGroupMemberChange: hasGroupMemberChange,
GroupMemberLists: wriBytes,
})

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What if instead of usingdatabase.Group here we instead made[]database.GroupMember auditable? I think this might solve a lot of the jankiness of needing hardcoded stuff for group members.

}
} else {
logger.Warn(logCtx, "marshal group member diff", slog.Error(err))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nah, it's on purpose though. The context can potentially hold fields that the logger can use.

Kira-Pilot reacted with thumbs up emoji

// Adds a 'members' key to Group resource diffs
// in order to capture the addition or removal of group members
func addGroupMemberDiff(logCtx context.Context, diff Map, groupMemberLists json.RawMessage, logger slog.Logger) Map {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The context should normally just be calledctx, and the context + logger should always be the first and second fields.

Suggested change
funcaddGroupMemberDiff(logCtx context.Context,diffMap,groupMemberLists json.RawMessage,logger slog.Logger)Map {
funcaddGroupMemberDiff(ctx context.Context,logger slog.Logger,diffMap,groupMemberLists json.RawMessage)Map {

Kira-Pilot reacted with thumbs up emoji
@Kira-Pilot
Copy link
MemberAuthor

Closing this for now as we discuss two other solutions:

  1. making[]database.GroupMember auditable
  2. a solution arising from this discussion:Comprehensive side effect audit logging #5419

@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJan 3, 2023
@Kira-PilotKira-Pilot deleted the audit-group-users/kira-pilot branchFebruary 23, 2023 17:27
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@coadlercoadlercoadler left review comments

@sreyasreyaAwaiting requested review from sreya

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

audit: updating users in a group should generate an audit log diff
2 participants
@Kira-Pilot@coadler
[8]ページ先頭
©2009-2025 Movatter.jp