Audit Logging #275
Audit Logging #275
Conversation
tekton-robot
added
needs-ok-to-test
|
Hi @CathalOConnorRH. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
ok-to-test
There was a problem hiding this comment.
/hold
#268 should merge first (both configure zap, thus are in conflict).
cmd/api/main.go
Outdated
|
|
||
| token, _, _ := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) |
There was a problem hiding this comment.
Two items:
- Error is a potential return here. Should we raise an error, treat it as an unauthenticated request, or something else?
- Please comment why we are using
ParseUnverified. The godoc has an explict warning ("do not use unless you know what you are doing")
There was a problem hiding this comment.
- I will update the code to handle the error returned and log it but I think we should return the error to the calling method as it should stop the rest of the code from processing, WDYT ?
- We are using
ParseUnverifedto just take the name of the sub from the token. we don't verify it. that's still left up to the existing code to verify. Do you think we should verify it here also ?
There was a problem hiding this comment.
I don't think we need to verify it - we indirectly verify through the TokenAccessReview. I think we just need to comment that explains "this code is just extracting values, it is not doing any form of verification".
There was a problem hiding this comment.
I will update the code to handle the error returned and log it but I think we should return the error to the calling method as it should stop the rest of the code from processing, WDYT ?
I do have a concern that since this is an interceptor, an error causes the request to fail. Perhaps we set grpc.user to unknown in the context?
There was a problem hiding this comment.
Updated to include those points.
tekton-robot
added
the
do-not-merge/hold
CathalOConnorRH
force-pushed
the
add_audit_logs
branch
2 times, most recently
from
428ae52
to
c6ecea4
Compare
tekton-robot
added
the
approved
|
Eventually it'd be interesting to customize Zap settings through the config-logging ConfigMap. This would make the log output as well as the process of tweaking it homogeneous with other Tekton components, including the Watcher. |
|
@alan-ghelardi: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
tekton-robot
added
lgtm
|
/hold cancel Once this PR is rebased, I can merge. |
tekton-robot
removed
the
do-not-merge/hold
CathalOConnorRH
force-pushed
the
add_audit_logs
branch
from
c6ecea4
to
e5c427c
Compare
tekton-robot
removed
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
kind/feature
Add audit logging to grpc requests using grpc-middleware and zap logger. Addresses #246
Some example request logs are below :
grpc_cli ls
{"grpc.start_time":"2022-12-06T16:15:45Z","system":"grpc","span.kind":"server","grpc.service":"grpc.reflection.v1alpha.ServerReflection","grpc.method":"ServerReflectionInfo","peer.address":"127.0.0.1:40388","grpc.user":"unauthenticated_request","grpc.code":"OK","grpc.time_duration_in_ns":520866}grpc_cli call
{"grpc.start_time":"2022-12-06T16:16:28Z","system":"grpc","span.kind":"server","grpc.service":"tekton.results.v1alpha2.Results","grpc.method":"ListResults","peer.address":"127.0.0.1:33534","grpc.user":"system:serviceaccount:tekton-pipelines:tekton-results-debug","grpc.issuer":"kubernetes/serviceaccount","grpc.code":"OK","grpc.time_duration_in_ns":6033652} {"grpc.start_time":"2022-12-06T16:16:28Z","system":"grpc","span.kind":"server","grpc.service":"grpc.reflection.v1alpha.ServerReflection","grpc.method":"ServerReflectionInfo","peer.address":"127.0.0.1:33534","grpc.user":"system:serviceaccount:tekton-pipelines:tekton-results-debug","grpc.issuer":"kubernetes/serviceaccount","grpc.code":"OK","grpc.time_duration_in_ns":9241731}