Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auditing changes to key/value in etcd #5019

Closed
niraj8241 opened this issue Apr 8, 2016 · 13 comments
Closed

Auditing changes to key/value in etcd #5019

niraj8241 opened this issue Apr 8, 2016 · 13 comments

Comments

@niraj8241
Copy link

All,

Well this is a feature request more than an issue. What i am looking here in etcd is to have a capability to track changes to key/values. So when i say track a change, i mean which user changed it last.

For eg:

User "X" changed a key/value and if admin/root wants to audit it down as who made that change.

I feel this useful when you have 1000+ servers managed by etcd. serving contents to all and if someone makes a change and breaks the fleet of entire servers. How can someone track this down?

It would be great to have such feature associated with etcd.

Regards
Niraj

@philips
Copy link
Contributor

philips commented Apr 8, 2016

Do you want this data to be stored inside of etcd or would a proxy that logs this information be sufficient?

@xiang90 xiang90 added this to the unplanned milestone Apr 8, 2016
@niraj8241
Copy link
Author

It would be great if it is within the etcd.

@xiang90
Copy link
Contributor

xiang90 commented Apr 8, 2016

@niraj8241 Any reason that it has to live inside etcd? Or what is the benefits you can see to put this inside etcd instead of a proxy? (we will probably build the proxy as part of the etcd project)

@niraj8241
Copy link
Author

Well @xiang90 There is no specific reason for it. What i was thinking of is something like when you query the API it should display a field like lastmodifiedby. Well if it can be within the proxy , it would be fine.

@xiang90
Copy link
Contributor

xiang90 commented Apr 8, 2016

@niraj8241 OK. Now I understand your use case better. I could image to do this in proxy layer by adding another layer to store the last modification info into etcd itself again. We will think about this more once we start the proxy for v3. Thanks for the suggestion.

This was referenced Aug 17, 2016
@akshaysuryawanshi
Copy link

@xiang90 Any updates on this feature ?

@akauppi
Copy link
Contributor

akauppi commented Apr 6, 2017

@akshaysuryawanshi @niraj8241 I've collected requirements for the audit use case, recently, and have plans to implement it within this spring. It would tie etcd (v3), Typesafe config and streams (websockets) together. Kind of a proxy above etcd v3 (could be any other key/value store). I think the use case is easily a bit deeper than what @niraj8241 is asking, but would like to hear your needs. Reach me at akauppi@gmail.com or twitter: @AskoKauppi ?

@raoofm
Copy link
Contributor

raoofm commented Apr 7, 2017

👍

1 similar comment
@abashev
Copy link

abashev commented May 2, 2017

👍

@roffe
Copy link

roffe commented Sep 18, 2017

@akauppi Any progress in this? =)

@akauppi
Copy link
Contributor

akauppi commented Dec 4, 2017

@roffe You can reach me in the above mentioned contact - have you tried?

I only now realized the original request was about storing etcd change info itself. What I'm looking for, and it is progressing, is a general key/value store on top of etcd-v3 or similar that supports full audit trails, but also much more. It won't be the solution for @niraj8241 so I don't think more discussion here is in place about it.

@jpbetz
Copy link
Contributor

jpbetz commented Feb 8, 2018

cc @jpbetz, @wenjiaswe

@jingyih
Copy link
Contributor

jingyih commented Sep 29, 2018

I am new to this thread, trying to catch up. Does #9990 fix this issue? When --debug flag is enabled, all incoming requests to etcd server will be logged. Logged information includes remote client IP and Port, which can be used to track who modified a certain key most recently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests