Auditing Codenvy

[bmicklea]

Codenvy should provide a default audit report that would include:

Per Install Information

• Number of users licensed (pulled from the valid license in the system)
• Date when license expires (pulled from the valid license in the system)
• Number of users in the Codenvy database

Per User Information

• Total number of workspaces the user has permissions to
• Total number of workspaces the user is owner of

For each workspace the user has permissions to show a table with each workspace on a row:

• Name of the workspace
• Whether they are owner or participant
• Their permissions on the workspace

The report should be output in a tabular format, and into a text file.

Update:
User should login using "codenvy login" command before executing audit command. It is needed to get access to Organization API. To do this, next issue should be resolved (#667).
Update:
Depens on: #599

[dmytro-ndp]

@bmicklea:

The report should be output in HTML and can be output by executing a CLI command.

Is it mean that user should see HTML code in output of CLI?
Frankly speaking, linux terminal is not a good place to review html code as it. HTML code is aimed to be used by browsers.

Usually, reports in terminal are displaying as a list of "key: value", in a JSON format or something like that.

[TylerJewell]

We should dump the information into CSV or equivalent. HTML is not a requirement. How do other audits work on Tomcat? text file is fine.

[bmicklea]

@tolusha yes, it's a customer request.

@dmytro-ndp, my thought had been to output a file in HTML but text or CSV is fine too if the information is readable.

[vkuznyetsov]

Is this issue on IM CLI ?

[TylerJewell]

It it doesn't even need to be that. We can generate an audit log file and just keep it current. We can just tell admin the name of the file.

[tolusha]

@vkuznyetsov means if it should be IM CLI command ./codenvy audit ?

[TylerJewell]

Cli is not necessary. We can just dump the data into a log file as the access happens - similar to an Apache log file. We can have multiple log files with different audit data if necessary.

So the docs would just show where these audit logs are at and admin can grab them at any time.

[vkuznyetsov]

@TylerJewell Who and how can initiate the Audit Report? I thought this report should created by IM command.

[dmytro-ndp]

@TylerJewell:

We can just dump the data into a log file as the access happens.

do you mean that Codenvy on-prem should collect log of creation/deletion of workspace, user creation and other info in separate file say audit.log in addition to /home/codenvy/tomcat/logs/catalina.out - list of log entry like the follow:

2016-08-26 13:05:18,020[io-8080-exec-10]  [INFO ] [.c.a.d.a.AuthenticationDaoImpl 93]   - EVENT#user-sso-logged-in# USING#org# USER#admin#

2016-08-26 13:05:18,304[nio-8080-exec-5]  [INFO ] [com.codenvy.mail.MailSender 102]     - Sending from noreply@codenvy.onprem to cdec.im.test@gmail.com with subject Welcome To Codenvy

2016-08-26 13:05:18,532[io-8080-exec-12]  [INFO ] [c.u.CreationNotificationSender 111]  - User created message send to cdec.im.test@gmail.com

2016-08-26 13:05:18,575[nio-8080-exec-1]  [INFO ] [.c.a.d.a.AuthenticationDaoImpl 93]   - EVENT#user-sso-logged-in# USING#org# USER#cdec#

2016-08-26 13:26:06,241[kspaceManager-0]  [INFO ] [o.e.c.a.w.s.WorkspaceManager 651]    - Workspace 'cdec:workspace-1' with id 'workspacejqgcb11xx1cw4zfm' started by user 'cdec'

2016-08-26 14:26:06,241[LicenseManager-0]  [INFO ] [o.e.c.a.w.s.LicenseManager 651]    - Codenvy License added with parameters: 50 maximum users, 2016-10-01 expiration day...

2016-08-26 20:26:06,241[kspaceManager-0]  [INFO ] [o.e.c.a.w.s.WorkspaceManager 651]    - Workspace 'cdec:workspace-1' accessed be user 'cdec'
....

and then admin should be able to read such audit log and then admin will prepare report in convenient view?

[TylerJewell]

Oh my god - sorry @tolusha @vkuznyetsov - I got my thoughts mixed up with another issue. It's too early in the morning and I haven't had tea yet.

Yes, you are both correct - this needs to be "codenvy audit" with CLI. And then we dump output into a file.

[vkuznyetsov]

@bmicklea
About table for workspaces - Date of last access to the workspace:
For now it is possible to get the Date of last access of any user who has a permissions to update the workspace. Do you mean this Date or a Date of last access for current user?

[bmicklea]

Date of the last access by any user is perfect.

[TylerJewell]

@bmicklea @vkuznyetsov - actually, Brad, I think it's the opposite.

What the audit report is showing is the list of all workspaces for each user. So it may show something like:

USERA WS1 <name> <permissions> <last-access-date>

The is specifically when USERA accessed WS1.

[tolusha]

Unfortunately we don't store last access date of every user to workspace.

[TylerJewell]

Please add a sub issue for tracking around workspace access log. I think the data to collect would be similar to what an HTTP access log might contain. It would include the user name, IP address, time-date stamp of access, and maybe type of access. Now since each user interacts with a ws independently, to keep things simpler we could just log all of the access to a particular workspace that is done through our central system, such as first authentication. I am unsure how much traffic flows through our routers from an access point of view?

[tolusha]

Is it another type of audit output besides the one mentioned in the issue?

[TylerJewell]

I think so yes. This new one is more of a continuing log file that records access each time a user activity occurs. I suppose we could log this in our database and provide a CLI or treat it similar to how Apache generates an access log.

Then once this was there we could reuse the information in such a log to build a stronger Codenvy audit report that is part of the original definition of this issue.

[tolusha]

Log any kind of activity - is too unclear and might be excessively.
I propose to remove requirement Date of last access to the workspace from this issue and create a new one you've suggested and start analyze it.

[TylerJewell]

It may be excessive agreed. Ok to separate the analysis.

Separately - do we get a list of all access to a single workspace? There could be a users view which lists all of their access to any workspace. Or an admin might choose a single workspace and ask for all access to it from any user.

[tolusha]

@bmicklea pls remove Date of last access to the workspace from the requirements and then we can take this issue in the next sprint.

A separate issue to discuss: #638

[tolusha]

Right now we can have (actually store it) only data about accessing workspace without binging it to specific user.

[bmicklea]

removed.

[bmicklea]

@tolusha can you send me a sample report please? I need it for my CheConf presentation.

[dmytro-ndp]

@bmicklea: here an example:

Number of all users: 3 
Number of users licensed: 10 
Date when license expires: 31 December 2050 
admin@codenvy.onprem is owner of 0 workspaces and has permissions in 0 workspaces 
user1@codenvy.com is owner of 2 workspaces and has permissions in 2 workspaces 
└ workspace-2, is owner: true, permissions: [read, use, run, configure, setPermissions, delete] 
└ workspace-1, is owner: true, permissions: [read, use, run, configure, setPermissions, delete] 
user2@codenvy.com is owner of 1 workspace and has permissions in 2 workspaces 
└ workspace-2, is owner: false, permissions: [read, use, run, configure] 
└ workspace-1, is owner: true, permissions: [read, use, run, configure, setPermissions, delete]

@eivantsov: it seems we need to add info bout audit CLI command to our documentation.

[tolusha]

@dmytro-ndp thx

[bmicklea]

Thanks

On Mon, Nov 7, 2016 at 12:23 PM, Anatoliy Bazko notifications@github.com
wrote:

@dmytro-ndp https://github.com/dmytro-ndp thx

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#581 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHSnCtr_07nY6qWuUegdt5xKvs8aH5TGks5q716RgaJpZM4Jkplw
.

Brad Micklea | Operations | bmicklea@​codenvy.​com | 4​16​.7​07​.07​92