Project

General

Profile

Actions
Copy link

Feature #19388

closed

Write audit log when new login happens or token is used

Added by Peter Amstutz over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Tom Clegg
Category:
API
Target version:
2022-10-12 sprint
Story points:
-
Release:
Arvados 2.5.0
Release relationship:
Auto

Description

The goal is to report which users are actively using the cluster (e.g. Playground).

Proposed logging feature:
  • Add config entry for user activity logging period (default 24h)
  • Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request, create a log entry with event_type="activity", object_uuid=user_uuid
  • A given controller process creates no more than one log entry per user per activity logging period

This limits the number of log entries per period to #users x #controllers x #controller restarts.

Subtasks 1 (0 open1 closed)

Task #19446: Review 19388-activity-logsResolvedStephen Smith09/23/2022Actions
Actions
Copy link
 #1

Updated by Peter Amstutz over 2 years ago

  • Target version changed from 2022-08-31 sprint to 2022-09-14 sprint
Actions
Copy link
 #3

Updated by Peter Amstutz about 2 years ago

  • Assigned To set to Tom Clegg
Actions
Copy link
 #4

Updated by Peter Amstutz about 2 years ago

  • Description updated (diff)
  • Subject changed from Write audit log when new login happens to Write audit log when new login happens or token is used
Actions
Copy link
 #5

Updated by Peter Amstutz about 2 years ago

  • Target version changed from 2022-09-14 sprint to 2022-09-28 sprint
Actions
Copy link
 #6

Updated by Tom Clegg about 2 years ago

  • Status changed from New to In Progress
  • Description updated (diff)
Actions
Copy link
 #7

Updated by Tom Clegg about 2 years ago

19388-activity-logs @ edc70abe9c05ff9a4ce90ce4c6c271223142c5e5 -- developer-run-tests: #3306

Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request ...

I think the /login part of this isn't really worthwhile. It wouldn't always trigger (e.g., login on a different cluster, or use OIDC token as an Arvados token), and isn't needed to detect interactive usage anyway (if the user hits the login endpoint but doesn't open a workbench page, is that really the kind of activity we're trying to report?).

I did hook group APIs, though -- I expect it's not possible to load any wb2 page without listing [contents of] any projects, so this pretty much guarantees any wb2 activity will be logged.

Actions
Copy link
 #8

Updated by Peter Amstutz about 2 years ago

  • Target version changed from 2022-09-28 sprint to 2022-10-12 sprint
Actions
Copy link
 #9

Updated by Stephen Smith about 2 years ago

Lgtm!

Actions
Copy link
 #10

Updated by Tom Clegg about 2 years ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #11

Updated by Peter Amstutz almost 2 years ago

  • Release set to 47
Actions
Copy link

Also available in: Atom PDF