Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api: add stdout audit logger for RBAC audit logging. #26453

Merged
merged 4 commits into from
Apr 14, 2023
Merged

api: add stdout audit logger for RBAC audit logging. #26453

merged 4 commits into from
Apr 14, 2023

Conversation

rockspore
Copy link
Contributor

Commit Message: Add stdout audit logger for RBAC audit logging.
Additional Description: This is the built-in audit logger gRPC plans to support for now. We intentionally make it not configurable until we have use cases that need to modify the behavior such as log format. The layout resembles StdoutAccessLog.
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A

cc @markdroth @ejona86

@rockspore
Add stdout audit logger for RBAC audit logging.
805cdb5 
Signed-off-by: Luwei Ge <lwge@google.com>
@repokitteh-read-only
Copy link

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #26453 was opened by rockspore.

see: more, trace.

@repokitteh-read-only
Copy link

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #26453 was opened by rockspore.

see: more, trace.

@rockspore
fix spelling
7c4cc85 
Signed-off-by: Luwei Ge <lwge@google.com>
@rockspore
remove extension name in comment
28a0372 
Signed-off-by: Luwei Ge <lwge@google.com>
@rockspore rockspore marked this pull request as ready for review March 29, 2023 22:31
yanavlasov
yanavlasov requested changes Mar 31, 2023
View reviewed changes
Copy link
Contributor

@yanavlasov yanavlasov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait

api/envoy/extensions/rbac/audit_loggers/stream/v3/stream.proto
// Custom configuration for the RBAC audit logger that writes log entries
// directly to the operating system's standard output.
// The logger outputs in JSON format and is currently not configurable.
message StdoutAuditLog {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stdout is only one type of log sink, that may not be usable by everyone. Please add something similar to the request access log configuration https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/accesslog/v3/accesslog.proto#config-accesslog-v3-accesslog which allows different implementations of log sinks (i.e. gRPC).

You can exclude the filter field, since there are no defined filtering semantics for RBAC log yet (although I can see someone only logging denied requests).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! I realized I forgot to include enough context in the PR description, this logger type is specifically for the API created in #26001 (#26415 as an amendment). The AuditCondition there specifies when to log the request and the logger configuration itself is already a TypedExtensionConfig. We don't need an access log like configuration in this case, right?

markdroth
markdroth reviewed Apr 6, 2023
View reviewed changes
api/envoy/extensions/rbac/audit_loggers/stream/v3/stream.proto
// Custom configuration for the RBAC audit logger that writes log entries
// directly to the operating system's standard output.
// The logger outputs in JSON format and is currently not configurable.
message StdoutAuditLog {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the directory/file names and the proto name should match. If we're calling this StdoutLogger, then let's rename the directory from stream to stdout and the filename from stream.proto to stdout.proto.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, wait, just realized that these names are what is used for the stdout access logger you mentioned above. In that case, this is fine as-is.

@markdroth
Copy link
Contributor

/lgtm api

@repokitteh-read-only repokitteh-read-only bot removed the api label Apr 6, 2023
@rockspore
Copy link
Contributor Author

I believe nothing needs to be changed here till a new round of review but I am not able to remove the waiting label. Could someone help with that? Thanks!

This was referenced Apr 7, 2023
Merged
Merged
@rockspore
Merge branch 'main' of https://github.com/envoyproxy/envoy into stdou…
9404a1d 
…t_logger

Signed-off-by: Luwei Ge <lwge@google.com>
@yanavlasov yanavlasov merged commit ce2ee76 into envoyproxy:main Apr 14, 2023
74 checks passed
@rockspore rockspore deleted the stdout_logger branch April 15, 2023 17:03
@erm-g erm-g mentioned this pull request Apr 26, 2023
Closed
@kyessenov kyessenov mentioned this pull request Oct 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markdroth markdroth markdroth left review comments

@yanavlasov yanavlasov yanavlasov approved these changes

Assignees

@yanavlasov yanavlasov

@markdroth markdroth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rockspore @markdroth @yanavlasov