Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CBG-4047: User and role audit events #6962

Merged
merged 7 commits into from
Jul 17, 2024
Merged

CBG-4047: User and role audit events #6962

merged 7 commits into from
Jul 17, 2024

Conversation

gregns1
Copy link
Contributor

@gregns1 gregns1 commented Jul 12, 2024

CBG-4047

  • Adds create, update, view and delete audit events for role and users
{"cid":"#003","local":{"ip":"192.0.2.1","port":"4984"},"remote":{"port":"12345","ip":"203.0.113.1"},"role":"gregRole","admin_channels":{"testScope":{"testColl":["myRoleChan"]}},"name":"Create role","real_userid":{"domain":"placeholder","user":"placeholder"},"timestamp":"2024-07-12T13:29:45.349383+01:00","db":"db1","id":54110,"description":"A new role was created"}
{"username":"couchbase","roles":["gregRole"],"channels":{"testScope":{"testColl":["couchbase"]}},"name":"Create user","description":"A new user was created","remote":{"ip":"203.0.113.1","port":"12345"},"db":"db1","id":54100,"cid":"#004","real_userid":{"user":"placeholder","domain":"placeholder"},"local":{"ip":"192.0.2.1","port":"4984"},"timestamp":"2024-07-12T13:30:23.034203+01:00"}
{"id":54112,"name":"Update role","local":{"ip":"192.0.2.1","port":"4984"},"cid":"#005","real_userid":{"domain":"placeholder","user":"placeholder"},"remote":{"ip":"203.0.113.1","port":"12345"},"timestamp":"2024-07-12T13:31:07.04933+01:00","role":"gregRole","admin_channels":{"testScope":{"testColl":["myRoleChan","second"]}},"db":"db1","description":"Role was updated"}
{"roles":["gregRole"],"channels":{"testScope":{"testColl":["couchbase","newChan"]}},"db":"db1","name":"Update user","remote":{"ip":"203.0.113.1","port":"12345"},"username":"couchbase","id":54102,"description":"User was updated","cid":"#006","real_userid":{"domain":"placeholder","user":"placeholder"},"local":{"ip":"192.0.2.1","port":"4984"},"timestamp":"2024-07-12T13:31:29.058749+01:00"}
{"db":"db1","username":"couchbase","id":54101,"description":"Information about this user was viewed","cid":"#007","remote":{"ip":"203.0.113.1","port":"12345"},"timestamp":"2024-07-12T13:31:47.075951+01:00","name":"Read user","real_userid":{"domain":"placeholder","user":"placeholder"},"local":{"ip":"192.0.2.1","port":"4984"}}
{"remote":{"port":"12345","ip":"203.0.113.1"},"db":"db1","role":"gregRole","id":54111,"cid":"#008","local":{"ip":"192.0.2.1","port":"4984"},"name":"Read role","description":"Information about this role was viewed","real_userid":{"domain":"placeholder","user":"placeholder"},"timestamp":"2024-07-12T13:32:03.685454+01:00"}
{"description":"User was deleted","cid":"#009","real_userid":{"domain":"placeholder","user":"placeholder"},"local":{"ip":"192.0.2.1","port":"4984"},"remote":{"ip":"203.0.113.1","port":"12345"},"username":"couchbase","id":54103,"name":"Delete user","timestamp":"2024-07-12T13:32:23.838458+01:00","db":"db1"}
{"timestamp":"2024-07-12T13:32:35.884324+01:00","db":"db1","description":"Role was deleted","local":{"ip":"192.0.2.1","port":"4984"},"remote":{"ip":"203.0.113.1","port":"12345"},"real_userid":{"domain":"placeholder","user":"placeholder"},"role":"gregRole","id":54113,"name":"Delete role","cid":"#010"}

Pre-review checklist

  • Removed debug logging (fmt.Print, log.Print, ...)
  • Logging sensitive data? Make sure it's tagged (e.g. base.UD(docID), base.MD(dbName))
  • Updated relevant information in the API specifications (such as endpoint descriptions, schemas, ...) in docs/api

Integration Tests

rest/admin_api.go Outdated Show resolved Hide resolved
rest/admin_api.go Outdated Show resolved Hide resolved
rest/admin_api.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@adamcfraser adamcfraser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a suggestion to avoid multiple iterations when building a slice of channels from a timed set.

if user != nil {
base.Audit(h.ctx(), base.AuditIDUserUpdate, base.AuditFields{
"username": internalName,
"roles": user.ExplicitRoles().AsSet().ToArray(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ExplicitRoles().AllKeys() can be used here to avoid going TimedSet->Slice->Set->Slice.

h.writeStatus(http.StatusCreated, "Created")
}
return nil
}

func getAuditEventAccess(db *db.Database, princ auth.Principal) map[string]map[string][]string {
auditEventAccess := make(map[string]map[string][]string)
collectionAccess := make(map[string][]string)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be moved inside the db.OnlyDefaultCollection() check.

auth/auth.go Outdated
for scopeName, scope := range collAccess {
explicitChans := make(map[string][]string)
for collectionName, collection := range scope {
explicitChans[collectionName] = collection.ExplicitChannels().AsSet().ToArray()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as elsewhere about ExplicitChannels().AllKeys().

@adamcfraser adamcfraser assigned gregns1 and unassigned adamcfraser Jul 16, 2024
@adamcfraser adamcfraser merged commit dd354e1 into main Jul 17, 2024
34 checks passed
@adamcfraser adamcfraser deleted the CBG-4047 branch July 17, 2024 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants