Skip to content

[v11] Add usage events for certificate issuance and additional session types (#20662)#21192

Merged
timothyb89 merged 7 commits intobranch/v11from
timothyb89/v11/prehog-cert-events
Feb 14, 2023
Merged

[v11] Add usage events for certificate issuance and additional session types (#20662)#21192
timothyb89 merged 7 commits intobranch/v11from
timothyb89/v11/prehog-cert-events

Conversation

@timothyb89
Copy link
Copy Markdown
Contributor

@timothyb89 timothyb89 commented Feb 3, 2023
edited by espadolini
Loading

Backport of #20662 for branch/v11

  • Add usage events for certificate issuance and additional session types

This adds a new usage event for certificate issuance, emitted whenever a new user certificate is generated. These events include an anonymized username, TTL, and basic info about which requests are present on the certificate (e.g. db/app/k8s requests).

Additionally, this captures additional session event types from the audit log, including database, app, and desktop sessions, and also properly tags k8s exec sessions which were previously grouped together with SSH.

  • Add SessionStartV2 events, add is_bot flag to cert events

  • Drop redundant Event prefix on UsageCertificteIssued event

  • Rename CertificateIssuedEvent -> UserCertificateIssuedEvent

Also includes the v11 backport for #21606

@timothyb89
Add usage events for certificate issuance and additional session types (
fbad328 
#20662)

* Add usage events for certificate issuance and additional session types

This adds a new usage event for certificate issuance, emitted
whenever a new user certificate is generated. These events include
an anonymized username, TTL, and basic info about which requests are
present on the certificate (e.g. db/app/k8s requests).

Additionally, this captures additional session event types from the
audit log, including database, app, and desktop sessions, and also
properly tags k8s exec sessions which were previously grouped
together with SSH.

* Add `SessionStartV2` events, add `is_bot` flag to cert events

* Drop redundant `Event` prefix on `UsageCertificteIssued` event

* Rename `CertificateIssuedEvent` -> `UserCertificateIssuedEvent`
@timothyb89
Copy link
Copy Markdown
Contributor Author

timothyb89 commented Feb 3, 2023
edited
Loading

There's a few backports missing for branch/v11 so some improvisation was needed here (specifically #19564, #20070). There's no js proto changes included here, I'm not sure where they live in this branch following the webassets merge - not that the new event is actually used by the UI.

espadolini
espadolini previously requested changes Feb 3, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@espadolini espadolini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking until we have the server side running in prod.

@timothyb89 timothyb89 changed the title Add usage events for certificate issuance and additional session types (#20662) [v11] Add usage events for certificate issuance and additional session types (#20662) Feb 6, 2023
@michellescripts
Copy link
Copy Markdown
Contributor

michellescripts commented Feb 9, 2023

I'm needing to backport some more prehog changes. Do we need a prehog prod deployment to unblock this? @espadolini @timothyb89

@timothyb89
Copy link
Copy Markdown
Contributor Author

timothyb89 commented Feb 9, 2023

I'm needing to backport some more prehog changes. Do we need a prehog prod deployment to unblock this? @espadolini @timothyb89

There was some additional talk about holding off due to some possible proto changes in these new events, though IMO we should just update the .proto the regular way given it's already released in v12. Otherwise, yeah, we were (are?) waiting on a new prehog deployment.

What do you think, @espadolini?

@espadolini
Copy link
Copy Markdown
Contributor

espadolini commented Feb 10, 2023

v12 might be released but it's not currently in use; we should tweak the session kind for app session start to distinguish AWS console and TCP app access, and then backport that change together with this, IMO. It should be a Teleport-only change, so we don't need a two step thing.

@espadolini
Copy link
Copy Markdown
Contributor

espadolini commented Feb 10, 2023
edited
Loading

The backport for #21606 should be added to this PR.
edit: added in 685c8f5

@espadolini
Make UsageSessionStart report TCP app access separately (#21606)
685c8f5 
* Make UsageSessionStart more selective and granular for app access

* Allow generic "app" kind for app.session.start

app.session.start is consistently emitted, just not consistently stored

* Avoid singling out aws app access

* Use the same check as app access
@espadolini espadolini marked this pull request as ready for review February 13, 2023 10:42
@github-actions github-actions Bot added audit-log Issues related to Teleports Audit Log backport size/md labels Feb 13, 2023
@espadolini espadolini dismissed their stale review February 13, 2023 10:46

#21606 was included in this backport

@timothyb89 timothyb89 enabled auto-merge (squash) February 13, 2023 16:43
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from jakule February 13, 2023 19:13
@timothyb89 timothyb89 merged commit 8539c68 into branch/v11 Feb 14, 2023
@espadolini espadolini deleted the timothyb89/v11/prehog-cert-events branch March 10, 2023 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@espadolini espadolini espadolini approved these changes

@michellescripts michellescripts michellescripts approved these changes

Assignees

No one assigned

Labels

audit-log Issues related to Teleports Audit Log backport size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timothyb89 @michellescripts @espadolini @marcoandredinis