Write audit log when new login happens or token is used
The goal is to report which users are actively using the cluster (e.g. Playground).Proposed logging feature:
- Add config entry for user activity logging period (default 24h)
- Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request, create a log entry with event_type="activity", object_uuid=user_uuid
- A given controller process creates no more than one log entry per user per activity logging period
This limits the number of log entries per period to #users x #controllers x #controller restarts.
Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request ...
I think the /login part of this isn't really worthwhile. It wouldn't always trigger (e.g., login on a different cluster, or use OIDC token as an Arvados token), and isn't needed to detect interactive usage anyway (if the user hits the login endpoint but doesn't open a workbench page, is that really the kind of activity we're trying to report?).
I did hook group APIs, though -- I expect it's not possible to load any wb2 page without listing [contents of] any projects, so this pretty much guarantees any wb2 activity will be logged.