OSDOCS-2890: Updating for OAuth server audit logging #45799
Conversation
bergerhoffer
changed the title
openshift-ci
bot
added
do-not-merge/work-in-progress
✅ Deploy Preview for osdocs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
bergerhoffer
added
peer-review-needed
bergerhoffer
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jeana-redhat
added
peer-review-done
bergerhoffer
force-pushed
the
OSDOCS-2890
branch
from
696b567
to
154cd6f
Compare
|
@ibihim I made a few updates per the feedback. Can you please re-review? Updated preview link is now here: http://file.rdu.redhat.com/~ahoffer/2022/OSDOCS-2890/security/audit-log-view.html#nodes-nodes-audit-log-basic-viewing_audit-log-view |
|
In "Gathering audit logs" section (not shown in this PR "Files changed"; happened to find it in your preview link) /usr/bin/gather_audit_logs is not a "flag". It is a command, this can seen from oc adm must-gather -h: |
|
Need we somewhere mention "authentication.openshift.io/decision" can be one of allow, deny, error? |
Thanks @xingxingxia - I'm actually not familiar with this file so I'll track it down and will update to use the correct phrasing. |
@xingxingxia I don't really see anywhere else where we really get into the possible values for fields of an audit event, outside of generically mentioning the fields in this table: http://file.rdu.redhat.com/~ahoffer/2022/OSDOCS-2890/security/audit-log-view.html#nodes-pods-audit-log-basic_audit-log-view. So I don't think so, but let me know if you feel strongly about it and we can look into it more. |
bergerhoffer
force-pushed
the
OSDOCS-2890
branch
from
154cd6f
to
44335ec
Compare
|
@xingxingxia Updated per your feedback, can you please take another look? Thanks! |
|
AUTH-6 OEP https://github.com/openshift/enhancements/blob/master/enhancements/authentication/login-logout-events.md#proposal uses quite length to tell allow, deny or error. For AUTH-6, this is a feature point specific and non-trivial. So I prefer to mention allow, deny or error if we documen AUTH-6. |
bergerhoffer
force-pushed
the
OSDOCS-2890
branch
from
44335ec
to
c79fdd6
Compare
@xingxingxia Sure thing then! I mentioned this in the part about viewing the audit logs. Can you take a look and let me know if this works? Thanks! |
|
LGTM, but the preview link https://deploy-preview-45799--osdocs.netlify.app/openshift-enterprise/latest/security/audit-log-view.html#nodes-nodes-audit-log-basic-viewing_audit-log-view page does not show "The possible values for the authentication.openshift.io/decision annotation are allow, deny, or error.", what is wrong? |
@xingxingxia Apologies - our automatic preview system has not been functioning for a month or two, so we've been having to upload manual previews instead. As long as you see the proper text on the latest preview link I shared (http://file.rdu.redhat.com/~ahoffer/2022/OSDOCS-2890/security/audit-log-view.html#nodes-nodes-audit-log-basic-viewing_audit-log-view), we should be good to go! |
|
Ah, thanks for the explanation! |
|
/cherrypick enterprise-4.11 |
|
@bergerhoffer: new pull request created: #47896 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Version(s):
4.11
Issue:
https://issues.redhat.com/browse/OSDOCS-2890
Link to docs preview:
Additional information: