-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit Logging #275
Audit Logging #275
Conversation
Hi @CathalOConnorRH. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
#268 should merge first (both configure zap, thus are in conflict).
cmd/api/main.go
Outdated
|
||
token, _, _ := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two items:
- Error is a potential return here. Should we raise an error, treat it as an unauthenticated request, or something else?
- Please comment why we are using
ParseUnverified
. The godoc has an explict warning ("do not use unless you know what you are doing")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I will update the code to handle the error returned and log it but I think we should return the error to the calling method as it should stop the rest of the code from processing, WDYT ?
- We are using
ParseUnverifed
to just take the name of the sub from the token. we don't verify it. that's still left up to the existing code to verify. Do you think we should verify it here also ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to verify it - we indirectly verify through the TokenAccessReview. I think we just need to comment that explains "this code is just extracting values, it is not doing any form of verification".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update the code to handle the error returned and log it but I think we should return the error to the calling method as it should stop the rest of the code from processing, WDYT ?
I do have a concern that since this is an interceptor, an error causes the request to fail. Perhaps we set grpc.user
to unknown
in the context?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to include those points.
428ae52
to
c6ecea4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Looks good to me. If there is an additional +1 or lgtm, I will lift the hold.
Eventually it'd be interesting to customize Zap settings through the config-logging ConfigMap. This would make the log output as well as the process of tweaking it homogeneous with other Tekton components, including the Watcher. |
@alan-ghelardi: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/hold cancel Once this PR is rebased, I can merge. |
c6ecea4
to
e5c427c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Re-adding LGTM due to rebase.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/kind feature
We need this label for release as discussed in the last WG call.
Add audit logging to grpc requests using grpc-middleware and zap logger. Addresses #246
Some example request logs are below :
grpc_cli ls
{"grpc.start_time":"2022-12-06T16:15:45Z","system":"grpc","span.kind":"server","grpc.service":"grpc.reflection.v1alpha.ServerReflection","grpc.method":"ServerReflectionInfo","peer.address":"127.0.0.1:40388","grpc.user":"unauthenticated_request","grpc.code":"OK","grpc.time_duration_in_ns":520866}
grpc_cli call
{"grpc.start_time":"2022-12-06T16:16:28Z","system":"grpc","span.kind":"server","grpc.service":"tekton.results.v1alpha2.Results","grpc.method":"ListResults","peer.address":"127.0.0.1:33534","grpc.user":"system:serviceaccount:tekton-pipelines:tekton-results-debug","grpc.issuer":"kubernetes/serviceaccount","grpc.code":"OK","grpc.time_duration_in_ns":6033652} {"grpc.start_time":"2022-12-06T16:16:28Z","system":"grpc","span.kind":"server","grpc.service":"grpc.reflection.v1alpha.ServerReflection","grpc.method":"ServerReflectionInfo","peer.address":"127.0.0.1:33534","grpc.user":"system:serviceaccount:tekton-pipelines:tekton-results-debug","grpc.issuer":"kubernetes/serviceaccount","grpc.code":"OK","grpc.time_duration_in_ns":9241731}