Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE/Extension] Audit log entry for OBO token generation #3098

Open
2 tasks
Tracked by #2573
RyanL1997 opened this issue Aug 4, 2023 · 8 comments
Open
2 tasks
Tracked by #2573

[FEATURE/Extension] Audit log entry for OBO token generation #3098

RyanL1997 opened this issue Aug 4, 2023 · 8 comments
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@RyanL1997
Copy link
Collaborator

RyanL1997 commented Aug 4, 2023
edited
Loading

Description

After the JwtVendor has generated an OBO token, it's essential that we link the audit log to track its usage, along with any specific information pertaining to this token.

Some of the information that should be traceable:

  • cluster identifier
  • extension/service identifier
  • expiry
  • specific actions that this token is used for

Exit Criteria

  • Enable and Disable of audit logging
  • The log of the generation of the token (including: timestamp and issuance)
@RyanL1997 RyanL1997 added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Aug 4, 2023
@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Aug 7, 2023
@davidlago
Copy link

We need to better understand what compliance requirements look like around these new use cases.

@peternied peternied mentioned this issue Aug 16, 2023
Closed
35 tasks
@davidlago davidlago removed the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Aug 21, 2023
@RyanL1997 RyanL1997 mentioned this issue Aug 21, 2023
Merged
3 tasks
@peternied
Copy link
Member

Cannot make progress on this item until [1] is resolved

@davidlago
Copy link

Resolving #3098, but removing triaged label from this issue to signal that requirements are still needed in its description.

@davidlago davidlago mentioned this issue Aug 28, 2023
Closed
@setiah
Copy link

setiah commented Aug 28, 2023

This seems to be coming from Extensions and not a standalone user request. @dagneyb if you have an opinion from extensions pov.
I suggest starting with basic auditing support on token usage. Some ideas below -

  • Auditing events: associated with OBO token usage, such as issuance, validation and revocation (if supported). Log these events with associated metadata like user, IP address and timestamp.
  • Configurable: provide option to enable/disable OBO usage auditing. (default - enabled)
  • Documentation: ensure these changes are captured as part of security documentation.

We can evolve this in future as we get more incremental user feedback around this.

@peternied
Copy link
Member

peternied commented Aug 29, 2023
edited
Loading

@RyanL1997 from what @setiah has added here, I think adding an audit category, and then adding another task for the documentation and what we have above should be all we need. What do you think?

If you think so can you update this issue and the related issues?

@stephen-crawford
Copy link
Contributor

[Triage] Just following up @RyanL1997. Thank you!

@stephen-crawford
Copy link
Contributor

[Triage] Hi @RyanL1997, please add information for the exit criteria of this issue and then assign the triaged label.

@RyanL1997
Copy link
Collaborator Author

Hi @scrawfor99, I just added the exit criteria of this issue.

@stephen-crawford stephen-crawford added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peternied @davidlago @cwperks @setiah @stephen-crawford @RyanL1997