Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: implement audit log for several types #534

Merged
merged 1 commit into from
Aug 12, 2024
Merged

chore: implement audit log for several types #534

merged 1 commit into from
Aug 12, 2024

Conversation

DmitriyMV
Copy link
Member

@DmitriyMV DmitriyMV commented Aug 8, 2024
edited
Loading

This commit implements session tracking and log audit for those types:

  • auth.PublicKey
  • auth.AccessPolicy
  • auth.User
  • auth.Identity
  • omni.Machine
  • omni.MachineLabels
  • omni.Cluster
  • omni.MachineSet (only empty owners for update, log create and delete in all cases)
  • omni.MachineSetNode (only empty owners for update, log create and delete in all cases)
  • omni.ConfigPatch
  • Talos API Access
  • Kubernetes API access

Output example:

{"event_type":"create","resource_type":"Machines.omni.sidero.dev","event_ts":1723466311309,"event_data":{"machine":{"labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:a25b:6278:b4cc:9800"},"id":"37a78830-96c2-4c00-9426-844eb239a603","management_address":"fdae:41e4:649b:9303:a25b:6278:b4cc:9800","is_connected":true},"session":{"user_agent":"Omni-Internal-Agent"}}}
{"event_type":"create","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466369337,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"0263efb13f3b5016507ec11ba71a96f5fced3a4d","public_key_expiration":1723494569}}}
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466370022,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"0263efb13f3b5016507ec11ba71a96f5fced3a4d","confirmation_type":"auth0","public_key_expiration":1723494569}}}
{"event_type":"create","resource_type":"Clusters.omni.sidero.dev","event_ts":1723466435280,"event_data":{"cluster":{"id":"talos-default","features":{},"kubernetes_version":"1.30.1","talos_version":"1.7.4"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"0263efb13f3b5016507ec11ba71a96f5fced3a4d"}}}
{"event_type":"create","resource_type":"MachineSets.omni.sidero.dev","event_ts":1723466435355,"event_data":{"machine_set":{"labels":{"omni.sidero.dev/cluster":"talos-default","omni.sidero.dev/role-controlplane":""},"machine_class":{"name":"any","machine_count":1},"id":"talos-default-control-planes","update_strategy":"Rolling","delete_strategy":"Unset"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"0263efb13f3b5016507ec11ba71a96f5fced3a4d"}}}
{"event_type":"create","resource_type":"MachineSetNodes.omni.sidero.dev","event_ts":1723466435360,"event_data":{"machine_set_node":{"labels":{"omni.sidero.dev/cluster":"talos-default","omni.sidero.dev/machine-set":"talos-default-control-planes","omni.sidero.dev/role-controlplane":""},"id":"05826eb8-a996-42dc-b76b-511d810ab475"},"session":{"user_agent":"Omni-Internal-Agent"}}}
{"event_type":"create","resource_type":"MachineSets.omni.sidero.dev","event_ts":1723466435427,"event_data":{"machine_set":{"labels":{"omni.sidero.dev/cluster":"talos-default","omni.sidero.dev/role-worker":""},"machine_class":{"name":"any","machine_count":2},"id":"talos-default-workers","update_strategy":"Rolling","delete_strategy":"Unset"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"0263efb13f3b5016507ec11ba71a96f5fced3a4d"}}}
{"event_type":"create","resource_type":"MachineSetNodes.omni.sidero.dev","event_ts":1723466435429,"event_data":{"machine_set_node":{"labels":{"omni.sidero.dev/cluster":"talos-default","omni.sidero.dev/machine-set":"talos-default-workers","omni.sidero.dev/role-worker":""},"id":"37a78830-96c2-4c00-9426-844eb239a603"},"session":{"user_agent":"Omni-Internal-Agent"}}}
{"event_type":"create","resource_type":"MachineSetNodes.omni.sidero.dev","event_ts":1723466435429,"event_data":{"machine_set_node":{"labels":{"omni.sidero.dev/cluster":"talos-default","omni.sidero.dev/machine-set":"talos-default-workers","omni.sidero.dev/role-worker":""},"id":"45677b47-dc64-4ecd-95dc-7116e754d11f"},"session":{"user_agent":"Omni-Internal-Agent"}}}
{"event_type":"create","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466478108,"event_data":{"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"6c7d30a004c18f797a9af60f8a223f5cf724293c","public_key_expiration":1723480878}}}
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466487134,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"6c7d30a004c18f797a9af60f8a223f5cf724293c","confirmation_type":"auth0","public_key_expiration":1723480878}}}
{"event_type":"create","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466599343,"event_data":{"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"75d2e320927aa6c630e81570355f10c7a2381abb","public_key_expiration":1723480999}}}
{"event_type":"talos_access","event_ts":1723466604098,"event_data":{"talos_access":{"full_method_name":"machine.MachineService/Version","cluster_name":"talos-default","machine_ip":"172.20.0.3"},"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","email":"[email protected]","fingerprint":"75d2e320927aa6c630e81570355f10c7a2381abb"}}}
{"event_type":"create","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466604100,"event_data":{"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"943efc16c89c0314281f6344a628d1790a8b4351","public_key_expiration":1723481004}}}
{"event_type":"update","resource_type":"PublicKeys.omni.sidero.dev","event_ts":1723466610625,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"fa02ea7c-6eb1-491e-b053-b5db63a4384f","role":"Admin","email":"[email protected]","fingerprint":"943efc16c89c0314281f6344a628d1790a8b4351","confirmation_type":"auth0","public_key_expiration":1723481004}}}
{"event_type":"talos_access","event_ts":1723466610627,"event_data":{"talos_access":{"full_method_name":"machine.MachineService/Version","cluster_name":"talos-default","machine_ip":"172.20.0.3"},"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","email":"[email protected]","fingerprint":"943efc16c89c0314281f6344a628d1790a8b4351"}}}
{"event_type":"talos_access","event_ts":1723466610658,"event_data":{"talos_access":{"full_method_name":"cosi.resource.State/List","cluster_name":"talos-default","machine_ip":"172.20.0.3"},"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","email":"[email protected]","fingerprint":"943efc16c89c0314281f6344a628d1790a8b4351"}}}
{"event_type":"talos_access","event_ts":1723466610697,"event_data":{"talos_access":{"full_method_name":"cosi.resource.State/List","cluster_name":"talos-default","machine_ip":"172.20.0.3"},"session":{"user_agent":"grpc-go/1.65.0","ip_address":"147.75.84.91","email":"[email protected]","fingerprint":"943efc16c89c0314281f6344a628d1790a8b4351"}}}

@DmitriyMV DmitriyMV added the integration/e2e-short Triggers all e2e short tests for Omni label Aug 8, 2024
@DmitriyMV DmitriyMV force-pushed the audit-crud branch 2 times, most recently from 3ae6b68 to a9aab4a Compare August 8, 2024 20:30
@DmitriyMV DmitriyMV force-pushed the audit-crud branch 4 times, most recently from 74d5cac to 8576fbe Compare August 12, 2024 12:36
@DmitriyMV
chore: implement audit log for several types
99f9317 
This commit implements session tracking and log audit for those types:
- [x] auth.PublicKey
- [x] auth.AccessPolicy
- [x] auth.User
- [x] auth.Identity
- [x] omni.Machine
- [x] omni.MachineLabels
- [x] omni.Cluster
- [x] omni.MachineSet (only empty owners for update, log create and delete in all cases)
- [x] omni.MachineSetNode (only empty owners for update, log create and delete in all cases)
- [x] omni.ConfigPatch
- [x] Talos API Access
- [x] Kubernetes API access

Output example:

```
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771180,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771180,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"update","resource_type":"Machines.omni.sidero.dev","event_ts":1723137771181,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine":{"id":"18cec051-d975-483d-8d43-10ac6421648a","is_connected":true,"management_address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd","labels":{"omni.sidero.dev/address":"fdae:41e4:649b:9303:da9b:1ed:a725:c3dd"}}}}
{"event_type":"create","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137787549,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137787553,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811532,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811610,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"update","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811611,"event_data":{"session":{"user_agent":"Omni-Internal-Agent"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"destroy","resource_type":"MachineLabels.omni.sidero.dev","event_ts":1723137811621,"event_data":{"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"},"machine_labels":{"id":"18cec051-d975-483d-8d43-10ac6421648a","labels":{"222":"","333":""}}}}
{"event_type":"create","resource_type":"Users.omni.sidero.dev","event_ts":1723141793888,"event_data":{"new_user":{"role":"Admin","id":"7903a72c-87af-43b8-94dc-82bd961ab768"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"}}}
{"event_type":"create","resource_type":"Identities.omni.sidero.dev","event_ts":1723141793981,"event_data":{"new_user":{"id":"7903a72c-87af-43b8-94dc-82bd961ab768","email":"[email protected]"},"session":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","ip_address":"<snip>","user_id":"ea002172-b9da-423f-bd1d-b443b8a7b43c","role":"Admin","email":"[email protected]","fingerprint":"da7b997eb68449a12bebc6a3bf4f59beaf167209"}}}
```

Closes siderolabs#37

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV linked an issue Aug 12, 2024 that may be closed by this pull request
Omni audit logs #37
Closed
@DmitriyMV
Copy link
Member Author

/m

@talos-bot talos-bot merged commit 99f9317 into siderolabs:main Aug 12, 2024
19 checks passed
@DmitriyMV DmitriyMV deleted the audit-crud branch August 12, 2024 13:33
@DmitriyMV DmitriyMV mentioned this pull request Aug 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Unix4ever Unix4ever Unix4ever approved these changes

Assignees
No one assigned
Labels
integration/e2e-short Triggers all e2e short tests for Omni
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Omni audit logs
3 participants
@DmitriyMV @Unix4ever @talos-bot