Project

General

Profile

Actions

Feature #19388

open

Write audit log when new login happens or token is used

Added by Peter Amstutz about 2 months ago. Updated 5 days ago.

Status:
In Progress
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
09/23/2022
Due date:
% Done:

0%

Estimated time:
(Total: 0.00 h)
Story points:
-

Description

The goal is to report which users are actively using the cluster (e.g. Playground).

Proposed logging feature:
  • Add config entry for user activity logging period (default 24h)
  • Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request, create a log entry with event_type="activity", object_uuid=user_uuid
  • A given controller process creates no more than one log entry per user per activity logging period

This limits the number of log entries per period to #users x #controllers x #controller restarts.


Subtasks 1 (1 open0 closed)

Task #19446: Review 19388-activity-logsIn ProgressStephen Smith09/23/2022

Actions
Actions #1

Updated by Peter Amstutz about 2 months ago

  • Target version changed from 2022-08-31 sprint to 2022-09-14 sprint
Actions #3

Updated by Peter Amstutz about 1 month ago

  • Assigned To set to Tom Clegg
Actions #4

Updated by Peter Amstutz about 1 month ago

  • Description updated (diff)
  • Subject changed from Write audit log when new login happens to Write audit log when new login happens or token is used
Actions #5

Updated by Peter Amstutz 18 days ago

  • Target version changed from 2022-09-14 sprint to 2022-09-28 sprint
Actions #6

Updated by Tom Clegg 11 days ago

  • Status changed from New to In Progress
  • Description updated (diff)
Actions #7

Updated by Tom Clegg 9 days ago

19388-activity-logs @ edc70abe9c05ff9a4ce90ce4c6c271223142c5e5 -- developer-run-tests: #3306

Whenever a token is issued by the /login endpoint or a token is used in a /collections or /container_requests API request ...

I think the /login part of this isn't really worthwhile. It wouldn't always trigger (e.g., login on a different cluster, or use OIDC token as an Arvados token), and isn't needed to detect interactive usage anyway (if the user hits the login endpoint but doesn't open a workbench page, is that really the kind of activity we're trying to report?).

I did hook group APIs, though -- I expect it's not possible to load any wb2 page without listing [contents of] any projects, so this pretty much guarantees any wb2 activity will be logged.

Actions #8

Updated by Peter Amstutz 5 days ago

  • Target version changed from 2022-09-28 sprint to 2022-10-12 sprint
Actions

Also available in: Atom PDF