Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ODRC: Set up foundation for logging/audit trails #16

Closed
7 tasks done
Tracked by #1
sergei-maertens opened this issue Sep 3, 2024 · 12 comments · Fixed by #71, #74, #89, #93 or #94
Closed
7 tasks done
Tracked by #1

ODRC: Set up foundation for logging/audit trails #16

sergei-maertens opened this issue Sep 3, 2024 · 12 comments · Fixed by #71, #74, #89, #93 or #94
Milestone
Plateau 0 (MVP)

Comments

@sergei-maertens
Copy link
Contributor

sergei-maertens commented Sep 3, 2024
edited
Loading

Als informatiebeveiliger / beheerder wil ik dat wijzigingen gelogd worden, zodat ik later kan reconstrueren wie wanneer wat heeft gedaan met de gegevens (bijvoorbeeld omdat er iets niet klopt).

** Description (why)**

Acceptance criteria (what)

  • De creatie, mutatie of verwijdering van een data-object wordt gelogd (m.u.v. de log-records zelf)
  • Optioneel: de raadpleging van een data-object wordt gelogd. Graag laten weten of dit wordt meegenomen!
  • Uit de logging blijkt:
    • welke handeling is uitgevoerd,
    • op welke data-objecten de handeling is uitgevoerd,
    • welke gebruiker de handeling heeft uitgevoerd,
    • wanneer (datum en tijd) de handeling is uitgevoerd,
    • op welke wijze de handeling is uitgevoerd (welk component sprak de API aan?)
    • met welk resultaat (gelukt/mislukt, liefst met meer info, zoals wat gewijzigd is).
  • De logging is niet muteerbaar.
  • De documentatie is bijgewerkt (Read the Docs)
  • Een grafisch datamodel van de database is beschikbaar / bijgewerkt (op GitHub of Read the Docs of elders)

Specific details (how)

Test plan

Tasks

  • Add django-timeline-logger dependency
  • Set up admin integration for django-timeline-logger so that log records can only be read, even for superusers (proxy model)
  • Set up admin-index configuration to put the audit trail in the "Logging" category in admin-index
  • Add a logging package/module that wraps the ORM actions
  • Each log record needs at minimum:
    • User identifier (taken from API call request headers, and/or django admin overrides). These will contain users that don't exist in accounts.User!
    • User representation/display name, e.g. the name / initials + last name
    • Reference to the object that was acted upon (use the GFK)
    • Type of action, this may be taken from audit trail request headers. E.g. create, update, publish, unpublish/retract
    • Any additional metadata relevant to the action being logged
  • Ensure that log records can be searched in the admin, based on user (ID + representation), date hierarchy, type of action
  • API endpoints must support (and require!) custom request headers for audit trails: Audit-User-Representation, Audit-User-ID, Audit-Remarks. ODPC/ODBP are responsible for populating these.
@sergei-maertens sergei-maertens mentioned this issue Sep 3, 2024
Closed
4 tasks
@sergei-maertens sergei-maertens changed the title Add django-timeline-logger for audit logging - set up the modal, integrate in admin and prepare a odrc.logging package for utilities. Take a look at Open Forms for the setup. ODRC: Set up foundation for logging/audit trails Sep 3, 2024
@RutgerICATT RutgerICATT added this to the ODRC: Basis milestone Sep 3, 2024
@MarcoKlerks MarcoKlerks moved this to Backlog in GPP-Woo Sep 12, 2024
@MarcoKlerks MarcoKlerks mentioned this issue Sep 3, 2024
Closed
11 tasks
@MarcoKlerks
Copy link
Contributor

@sergei-maertens Ik heb hier net zoals bij #2 ook alvast acceptatie-criteria toegevoegd, omdat deze story randvoorwaardelijk is voor die story.

Ik vermoed dat mijn criteria verschillen van jullie standaard-oplossing. Laat even weten wat de verschillen zijn, dan kan ik daar wat van vinden (= schrappen of aparte story van maken).

Ik wil nog een aparte story maken om de logging in de beheerinterface te tonen.

@sergei-maertens
Copy link
Contributor Author

@MarcoKlerks is het ook voldoende als de logs/audit trails via de beheeromgeving van de registratiecomponent inzichtelijk (en te exporteren zijn) ipv deze ook via de API te onsluiten? Dat is namelijk een stuk minder werk :)

@MarcoKlerks
Copy link
Contributor

MarcoKlerks commented Sep 16, 2024
edited
Loading

@sergei-maertens
Voor nu, ja. API erbij kan altijd nog.
Ik pas de AC aan.

@MarcoKlerks MarcoKlerks moved this from Backlog to Refinement in GPP-Woo Sep 16, 2024
This was referenced Sep 18, 2024
Closed
Closed
Closed
@sergei-maertens sergei-maertens mentioned this issue Oct 9, 2024
Closed
2 tasks
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
➕ [#16] Add django-timeline-logger package
0438ab5
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
✨ [#16] Set up proxy model and admin integration for audit logs
f1584cc 
* Added proxy model, which enforces that an event and acting user is
  specified in the metadata of the log record. This is not 100% idiot
  proof since bulk update queries etc. and direct timeline-logger
  usage allows circumventing these. Ideally we'd have some database
  constraints, but those can't be specified through a proxy model.
* Added a custom admin integration for the proxy model:
  - block writing to log records entirely, even for superusers
  - process the event/acting_user structured data to display it as nice
    columns
  - allow searching on the user details in the admin log page
* Added a custom default message template that can leverage the
  metadata constraints that are enforced.
@sergei-maertens sergei-maertens mentioned this issue Oct 9, 2024
Merged
1 task
@sergei-maertens sergei-maertens moved this from Refinement to In progress in GPP-Woo Oct 9, 2024
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
🍱 [#16] Update admin index fixture
2eec227
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
➕ [#16] Add django-timeline-logger package
32ba9ba
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
✨ [#16] Set up proxy model and admin integration for audit logs
57efe37 
* Added proxy model, which enforces that an event and acting user is
  specified in the metadata of the log record. This is not 100% idiot
  proof since bulk update queries etc. and direct timeline-logger
  usage allows circumventing these. Ideally we'd have some database
  constraints, but those can't be specified through a proxy model.
* Added a custom admin integration for the proxy model:
  - block writing to log records entirely, even for superusers
  - process the event/acting_user structured data to display it as nice
    columns
  - allow searching on the user details in the admin log page
* Added a custom default message template that can leverage the
  metadata constraints that are enforced.
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
🍱 [#16] Update admin index fixture
407c0ea
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
✨ [#16] Set up proxy model and admin integration for audit logs
147fc1d 
* Added proxy model, which enforces that an event and acting user is
  specified in the metadata of the log record. This is not 100% idiot
  proof since bulk update queries etc. and direct timeline-logger
  usage allows circumventing these. Ideally we'd have some database
  constraints, but those can't be specified through a proxy model.
* Added a custom admin integration for the proxy model:
  - block writing to log records entirely, even for superusers
  - process the event/acting_user structured data to display it as nice
    columns
  - allow searching on the user details in the admin log page
* Added a custom default message template that can leverage the
  metadata constraints that are enforced.
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
🍱 [#16] Update admin index fixture
29fadef
sergei-maertens added a commit that referenced this issue Oct 9, 2024
@sergei-maertens
✅ [#16] Add tests for the model/admin base setup
3ee603b 
Ensure that the base assumptions and functionality work as expected.
sergei-maertens added a commit that referenced this issue Oct 10, 2024
@sergei-maertens
✨ [#16] Set up proxy model and admin integration for audit logs
8e72dd4 
* Added proxy model, which enforces that an event and acting user is
  specified in the metadata of the log record. This is not 100% idiot
  proof since bulk update queries etc. and direct timeline-logger
  usage allows circumventing these. Ideally we'd have some database
  constraints, but those can't be specified through a proxy model.
* Added a custom admin integration for the proxy model:
  - block writing to log records entirely, even for superusers
  - process the event/acting_user structured data to display it as nice
    columns
  - allow searching on the user details in the admin log page
* Added a custom default message template that can leverage the
  metadata constraints that are enforced.
sergei-maertens added a commit that referenced this issue Oct 10, 2024
@sergei-maertens
🍱 [#16] Update admin index fixture
86cdf44
@github-project-automation github-project-automation bot moved this from In progress to Done in GPP-Woo Oct 23, 2024
@github-project-automation github-project-automation bot moved this from Done to In progress in GPP-Woo Oct 23, 2024
@sergei-maertens sergei-maertens moved this from In progress to Testing in GPP-Woo Oct 23, 2024
@sergei-maertens
Copy link
Contributor Author

@MarcoKlerks feedback processed and deployed, you can re-test!

@MarcoKlerks
Copy link
Contributor

Testresultaten:

  • Bij o.a. publicaties en documenten is een knop "Show logs" toegevoegd. deze toont alle log-regels.
  • Bij de logging kan nu ook gezocht worden in de titel
  • In de logging is een kolom "Kind" toegevoegd die laat zien of het data-object een publicatie, of een document, of een gebruiker, of een ... is.

Top!

@github-project-automation github-project-automation bot moved this from Testing to Done in GPP-Woo Oct 23, 2024
@MarcoKlerks MarcoKlerks moved this from Done to Testing in GPP-Woo Oct 23, 2024
@MarcoKlerks
Copy link
Contributor

Helaas, ik heb nog een issue gevonden...

Als ik in de beheer-interface een publicatie raadpleeg, dan staan daar (terecht) de documenten bij. Rechtsboven ieder document staat een vinkje 'verwijderen'. Als ik dat aanvink en opsla, dan wordt het document inderdaad verwijderd. Deze verwijdering wordt echter niet gelogd. Wel wordt er een mutatie van de publicatie gelogd.

Óf deze wijze van verwijderen wordt ook gelogd óf het vinkje wordt weggehaald.

@MarcoKlerks MarcoKlerks reopened this Oct 23, 2024
@github-project-automation github-project-automation bot moved this from Testing to In progress in GPP-Woo Oct 23, 2024
@MarcoKlerks MarcoKlerks moved this from In progress to In review in GPP-Woo Oct 23, 2024
@MarcoKlerks MarcoKlerks removed their assignment Oct 24, 2024
bart-maykin added a commit that referenced this issue Oct 25, 2024
@bart-maykin
✨ [#16] added inline admin deletion audit logs
f60d4af
@bart-maykin bart-maykin mentioned this issue Oct 25, 2024
Merged
@github-project-automation github-project-automation bot moved this from In review to Done in GPP-Woo Oct 25, 2024
@github-project-automation github-project-automation bot moved this from Done to In progress in GPP-Woo Oct 25, 2024
@sergei-maertens sergei-maertens moved this from In progress to In review in GPP-Woo Oct 25, 2024
@github-project-automation github-project-automation bot moved this from Testing to Done in GPP-Woo Nov 1, 2024
@MarcoKlerks MarcoKlerks removed their assignment Dec 16, 2024
@MarcoKlerks MarcoKlerks added this to the Plateau 0 (MVP) milestone Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
GPP-Woo
Status: Done
Milestone
Plateau 0 (MVP)
4 participants
@sergei-maertens @MarcoKlerks @bart-maykin @RutgerICATT