CBG-4060: Role-based audit filtering #6980

bbrks · 2024-07-18T18:44:25Z

Add GetRoles() to auth.User interface for access to roles (and initialization if nessesary)
Add role filtering logic to shouldLogAuditEventForUserAndRole
Store SG or CB Server roles on LogContext, but only when we have role-based filtering enabled
- Getting the roles for CB Server RBAC users costs one additional HTTP /whoami request per-authed request when we have auditing and CB Server role filtering enabled.
- Getting the roles for SG users is free if they are initialized
Test coverage of role-filtered audit events in TestAuditLoggingFields

Integration Tests

torcolvin

LGTM

base/logger_audit.go

rest/server_context.go

bbrks self-assigned this Jul 18, 2024

torcolvin previously approved these changes Jul 18, 2024

View reviewed changes

base/logger_audit.go Outdated Show resolved Hide resolved

rest/server_context.go Outdated Show resolved Hide resolved

bbrks dismissed torcolvin’s stale review via f5f68f5 July 18, 2024 20:25

bbrks added 7 commits July 22, 2024 14:49

Add code to support role filtering once populated on LogCtx

d99467e

Add (failing) tests for role audit filtering

f8c3675

Make SG role filtering work

0082d20

Rename field to be audit specific

00710bb

Only store roles on LogContext when we need them for audit filtering

734ee52

Duplicate whoami call to fetch for audit role filtering

83c3662

Add test case to cover cross-bucket RBAC role grants for filtering

ee8da48

bbrks force-pushed the CBG-4060 branch from f5f68f5 to ee8da48 Compare July 22, 2024 14:58

bbrks added 2 commits July 22, 2024 16:00

pr feedback

ca64060

tweak needRolesForAudit check

b4cdf94

bbrks removed their assignment Jul 22, 2024

adamcfraser self-assigned this Jul 22, 2024

adamcfraser approved these changes Jul 22, 2024

View reviewed changes

adamcfraser merged commit 8b34228 into main Jul 22, 2024
38 checks passed

adamcfraser deleted the CBG-4060 branch July 22, 2024 16:36