Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an audit event for creating provisioning tokens #28769

Merged
merged 10 commits into from
Jul 11, 2023
Merged

Add an audit event for creating provisioning tokens #28769

merged 10 commits into from
Jul 11, 2023

Conversation

bl-nero
Copy link
Contributor

@bl-nero bl-nero commented Jul 6, 2023

This change creates a new event, keeping the old, trusted-cluster-specific one. We should remove the old one after notifying the users and some grace period (I'll file a separate issue for this.)

Related issue: #16359.

Not addressed, will address later: deleting provisioning tokens.

@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log size/md ui labels Jul 6, 2023
@bl-nero bl-nero requested a review from strideynet July 6, 2023 17:29
zmb3
zmb3 approved these changes Jul 6, 2023
View reviewed changes
Copy link
Collaborator

@zmb3 zmb3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, though

We should remove the old one after notifying the users and some grace period (I'll file a separate issue for this.)

We basically never want to remove audit events, because they can still exist in customers' audit logs, and we want to be able to interpret them even if we no longer emit them.

@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 6, 2023

Note to self: looks like I forgot about the other place that emits audit events (lib/auth/auth.go, function GenerateToken). Any suggestion for when exactly this method is called? (It's currently deprecated.)

@zmb3
Copy link
Collaborator

zmb3 commented Jul 6, 2023

Note to self: looks like I forgot about the other place that emits audit events (lib/auth/auth.go, function GenerateToken). Any suggestion for when exactly this method is called? (It's currently deprecated.)

Probably comes from the tctl tokens add and tctl nodes add commands.

@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 7, 2023

We basically never want to remove audit events, because they can still exist in customers' audit logs, and we want to be able to interpret them even if we no longer emit them.

That's a valid point; how about filing an issue to no longer emit them, even if we leave the code that is interpreting these?

@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 7, 2023

Note to self: looks like I forgot about the other place that emits audit events (lib/auth/auth.go, function GenerateToken). Any suggestion for when exactly this method is called? (It's currently deprecated.)

Probably comes from the tctl tokens add and tctl nodes add commands.

Nope, I confirmed: both of these go through the non-deprecated flow.

@zmb3
Copy link
Collaborator

zmb3 commented Jul 7, 2023
edited
Loading

We basically never want to remove audit events, because they can still exist in customers' audit logs, and we want to be able to interpret them even if we no longer emit them.

That's a valid point; how about filing an issue to no longer emit them, even if we leave the code that is interpreting these?

I would just stop emitting them now. If this work closes one old issue that we haven't found the time to get to but opens another, we're back to hoping that some day we will be able to get back to this.

In fact, the best approach is probably:

  • merge this one as-is (emitting both the new and the legacy trusted cluster event)
  • backport this to all supported branches
  • merge a separate PR that eliminates the emitting of the legacy event (do not backport this, one, so the old event only stops being emitted in the newest major version)

bl-nero added 2 commits July 7, 2023 17:31
@bl-nero
Modify the deprecated GenerateToken function
810e0f4 
Also:
* Add some missing tests.
* Add error logging in emitTokenEvent().
* Fix lint errors.
@bl-nero
Merge branch 'master' into bl-nero/audit-events
472248e
@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 7, 2023

@strideynet Ping, as you requested :)

strideynet
strideynet reviewed Jul 10, 2023
View reviewed changes
Copy link
Contributor

@strideynet strideynet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is nearly there, just had a few thoughts come to mind.

@ibeckermayer
Copy link
Contributor

In fact, the best approach is probably:

  • merge this one as-is (emitting both the new and the legacy trusted cluster event)
  • backport this to all supported branches
  • merge a separate PR that eliminates the emitting of the legacy event (do not backport this, one, so the old event only stops being emitted in the newest major version)

I'm not sure about this, is it not unnecessarily complex to emit two audit events for the same action? What if we just remove the emission of the legacy event here, call it a breaking api change and ship it with the next major release, and not worry about any backports?

@zmb3

@zmb3
Copy link
Collaborator

zmb3 commented Jul 10, 2023

call it a breaking api change and ship it with the next major release, and not worry about any backports?

That's a fine option too. The only thing I'd like to avoid is having a patch release that suddenly stops emitting an event that the previous version did emit.

ibeckermayer
ibeckermayer reviewed Jul 10, 2023
View reviewed changes
ibeckermayer
ibeckermayer reviewed Jul 10, 2023
View reviewed changes
Copy link
Contributor

@ibeckermayer ibeckermayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any docs that should be changed to reflect this new event?

@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 11, 2023

Are there any docs that should be changed to reflect this new event?

Good call, there is a reference page; although it's explicitly said it's not exhaustive, I'll add the join_token.create event there.

strideynet
strideynet approved these changes Jul 11, 2023
View reviewed changes
Copy link
Contributor

@strideynet strideynet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor changes - this looks great now.

@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 11, 2023

Now that's embarassing. Looks like my "non-brittle" strategy was actually hiding a bug in my code, the Jurassic Park way. After moving the event emitting code to auth_with_roles.go, I forgot to remove it from auth.go, which resulted in the legacy event being emitted twice.

@bl-nero bl-nero added this pull request to the merge queue Jul 11, 2023
Merged via the queue into master with commit 800e79b Jul 11, 2023
@bl-nero bl-nero deleted the bl-nero/audit-events branch July 11, 2023 12:39
@public-teleport-github-review-bot
Copy link

@bl-nero See the table below for backport results.

Branch Result
branch/v11 Failed
branch/v12 Failed
branch/v13 Create PR

@zmb3 zmb3 added the release-notes A reminder label to into the release notes of the Teleport Release. label Jul 11, 2023
@bl-nero bl-nero mentioned this pull request Jul 14, 2023
Merged
@bl-nero
Copy link
Contributor Author

bl-nero commented Jul 14, 2023

@zmb3 @strideynet Unless you protest, I will not to port the change further than v13, since this is when CreateTokenV2 was first introduced, and the solution for previous branches would differ too much. I don't think it's worth the effort.

@strideynet
Copy link
Contributor

@zmb3 @strideynet Unless you protest, I will not to port the change further than v13, since this is when CreateTokenV2 was first introduced, and the solution for previous branches would differ too much. I don't think it's worth the effort.

This seems acceptable to me :)

@bl-nero bl-nero mentioned this pull request Jul 21, 2023
Closed
zmb3 added a commit that referenced this pull request Sep 14, 2023
@zmb3
docs: fix name of join token audit event
320e226 
Makes the docs match the code from #28769
@zmb3 zmb3 mentioned this pull request Sep 14, 2023
Merged
github-merge-queue bot pushed a commit that referenced this pull request Sep 15, 2023
@zmb3
docs: fix name of join token audit event (#31905)
c5c9d48 
Makes the docs match the code from #28769
github-actions bot pushed a commit that referenced this pull request Sep 15, 2023
@zmb3
docs: fix name of join token audit event
3629e69 
Makes the docs match the code from #28769
github-merge-queue bot pushed a commit that referenced this pull request Sep 15, 2023
@zmb3
docs: fix name of join token audit event (#31943)
5572e87 
Makes the docs match the code from #28769
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@ibeckermayer ibeckermayer ibeckermayer left review comments

@strideynet strideynet strideynet approved these changes

@ryanclark ryanclark Awaiting requested review from ryanclark

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log backport/branch/v13 release-notes A reminder label to into the release notes of the Teleport Release. size/md ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bl-nero @zmb3 @ibeckermayer @strideynet