audit-logging: Filter uninteresting conversations out of audit log

[babbageclunk]

Description of change

Read-only API requests (like status) aren't interesting from the perspective of audit logging. To avoid burying important information in the log we buffer the conversation and any uninteresting requests/responses until we see an interesting request, at which point we flush the buffer and write out any later messages immediately.

This means that any logged conversation will have the full set of requests even if some of them are only read-only.

QA steps

Bootstrap a controller with auditing enabled. Run various read-only commands, check that none of them generate audit log entries. Run commands that change state (setting config, deploying apps, adding and removing models, units and machines). Check that all of those show up in the audit log.

[anastasiamac]

Looks pretty neat!
(I love the fact that you went with observer pattern :D my favourite!)
My only concern at this stage is that Login call itself is not audited.

[anastasiamac]

nit - I'd prefer to surround 'juju status' in quotes :)

[babbageclunk]

Done!

[anastasiamac]

I am a bit concerned that "Login" request itself is not considered "interesting"... Most of auditing is actually VERY interested in "login" and "login" attempts :D

[babbageclunk]

Hmm. Since every client API interaction requires a login, including all logins would kind of defeat the purpose of filtering here - my watch juju status will still fill up the log with noise. I think you're right about logging failed login attempts though. I'll add a card for it and do it as a separate PR, if that's ok - it's pretty separate from this change.

[anastasiamac]

Probably, don't need a newline?

[babbageclunk]

Oops, due to some inexpert keyboard mashing.

[anastasiamac]

Is this a read-only call? I seem to recall that it was also a mutator based on whether the data was passed-in or not...

[babbageclunk]

No, this one doesn't accept any params.

[anastasiamac]

a mutator also, perhaps?

[babbageclunk]

No, it also doesn't accept args.

[wgrant]

Application.Get returns the config, which will usually have secrets.

[anastasiamac]

We will not be recording it :D
This is a black list of Facade.Method - meaning "do not audit these calls". This will also ignore all arguments, parameters and return values to/from these methods.

[wgrant]

Right, but if you're going to audit things, surely you want to audit things that will be the easiest way to exfiltrate secrets.

[babbageclunk]

Yeah, that's a good point - and I don't think users will do it so often in the normal course of events that it'll obscure other information in the logs.

[babbageclunk]

Oops, I meant to say, so I'll remove it from the filter list.

[anastasiamac]

I think it's a nice initial cut - thank you :)
+1 from me but there seems to be some test failures.
Also since William raised some concerns, maybe worthwhile getting a 2nd review from @jameinel or @wupeka ?

[jameinel]

I would be much happier if this filtering was being done on read rather than on write. Because you can't ever recover the information if it was never written in the first place.
Do we know that audit log is growing out of control without pruning on write? (We may need this because audit log is growing too fast without it.)
But deciding "what is interesting" feels very much where different operators can differ in their desire. So at a minimum I'd want to see a way to enable/disable this. We could default it to being on, with a way to disable it.

[babbageclunk]

Thanks John - yeah, looking at it now I think I went overboard on the filtering. Maybe a better way would be minimal filtering by default (just Client.FullStatus) with the list of methods to filter being a configuration setting (I guess just a comma-separated list). That way operators could remove anything they decided didn't need to be logged.

[babbageclunk]

$$merge$$

[jujubot]

Status: merge request accepted. Url: http://ci.jujucharms.com/job/github-merge-juju