Skip to content

athena audit logs - support athena engine v2#26053

Merged
tobiaszheller merged 1 commit intomasterfrom
tobiaszheller/auditevents-athena-query-athena-engine-v2
May 15, 2023
Merged

athena audit logs - support athena engine v2#26053
tobiaszheller merged 1 commit intomasterfrom
tobiaszheller/auditevents-athena-query-athena-engine-v2

Conversation

@tobiaszheller
Copy link
Copy Markdown
Contributor

@tobiaszheller tobiaszheller commented May 11, 2023

Part of https://github.com/gravitational/teleport.e/issues/894
RFD: https://github.com/gravitational/teleport/blob/master/rfd/0118-scalable-audit-logs.md

Engine v3 cannot be used for now because it has some bug which prevents from querying audit logs via string which contains uuid (like uid or session_id). I am 80% sure that it worked before. There is issue on aws forum from 1 month ago.

Good thing is that there are not many differences that impacts us between v3 and v2. The only one is that v2 does support "?" placeholder only in where part. This PR address it so limit does not use query placeholder but raw value.

@github-actions github-actions Bot added audit-log Issues related to Teleports Audit Log size/sm labels May 11, 2023
@github-actions github-actions Bot requested review from EdwardDowling and jakule May 11, 2023 08:53
@tobiaszheller tobiaszheller requested a review from rosstimothy May 11, 2023 08:53
@tobiaszheller tobiaszheller mentioned this pull request May 11, 2023
Merged
rosstimothy
rosstimothy approved these changes May 12, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but a couple questions:

  1. How do we enforce that only Athena v2 is used? Is that a documentation only thing?
  2. Is there anything we can do to detect if someone configured Athena v3 and throw a loud error to let users know the system will not work as configured?
  3. If the Athena v3 bug is fixed do we need to make any changes to support v2 and v3?

@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from jakule May 12, 2023 13:14
@tobiaszheller
Copy link
Copy Markdown
Contributor Author

tobiaszheller commented May 12, 2023

  • How do we enforce that only Athena v2 is used? Is that a documentation only thing?

You specify it when configuring workgroup in athena: https://docs.aws.amazon.com/athena/latest/ug/engine-versions-changing.html.

  • Is there anything we can do to detect if someone configured Athena v3 and throw a loud error to let users know the system will not work as configured?

Yes, there is glue API call to check workgroup settings. If it won't be solved in v3 until we release support for self-hosted, I will add that warning.

  • If the Athena v3 bug is fixed do we need to make any changes to support v2 and v3?

No, everything else works without any issues.

@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented May 12, 2023

Yes, there is glue API call to check workgroup settings. If it won't be solved in v3 until we release support for self-hosted, I will add that warning.

There is nothing preventing a self-hosted customer from using this today though. This lives in OSS and isn't gated by any license or feature flags.

@tobiaszheller
Copy link
Copy Markdown
Contributor Author

tobiaszheller commented May 12, 2023

Yes, there is glue API call to check workgroup settings. If it won't be solved in v3 until we release support for self-hosted, I will add that warning.

There is nothing preventing a self-hosted customer from using this today though. This lives in OSS and isn't gated by any license or feature flags.

It will mean that additional permission athena:GetWorkGroup is needed to teleport beside:

athena:StartQueryExecution
athena:StopQueryExecution
athena:GetQueryResults

do you think it's worth adding it or big indication in documentation is enough?

@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented May 12, 2023

Yes, there is glue API call to check workgroup settings. If it won't be solved in v3 until we release support for self-hosted, I will add that warning.

There is nothing preventing a self-hosted customer from using this today though. This lives in OSS and isn't gated by any license or feature flags.

It will mean that additional permission athena:GetWorkGroup is needed to teleport beside:

athena:StartQueryExecution
athena:StopQueryExecution
athena:GetQueryResults

do you think it's worth adding it or big indication in documentation is enough?

Documentation only might be fine. I'm more concerned about how we detect if something is misconfigured when someone inevitably ignores or does not read the docs.

@tobiaszheller
Copy link
Copy Markdown
Contributor Author

tobiaszheller commented May 15, 2023

Yes, there is glue API call to check workgroup settings. If it won't be solved in v3 until we release support for self-hosted, I will add that warning.

There is nothing preventing a self-hosted customer from using this today though. This lives in OSS and isn't gated by any license or feature flags.

It will mean that additional permission athena:GetWorkGroup is needed to teleport beside:

athena:StartQueryExecution
athena:StopQueryExecution
athena:GetQueryResults

do you think it's worth adding it or big indication in documentation is enough?

Documentation only might be fine. I'm more concerned about how we detect if something is misconfigured when someone inevitably ignores or does not read the docs.

queries with session_id will fail if someone is using v3 (until AWS fix it). I have added todo on my list to recheck if when adding docs to self hosted. We can then decide if we are adding that check or not. For now I will merge it as it is.

@tobiaszheller tobiaszheller added this pull request to the merge queue May 15, 2023
Merged via the queue into master with commit 74aa720 May 15, 2023
@tobiaszheller tobiaszheller deleted the tobiaszheller/auditevents-athena-query-athena-engine-v2 branch May 15, 2023 08:34
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented May 15, 2023

@tobiaszheller See the table below for backport results.

Branch Result
branch/v13 Create PR

@tobiaszheller tobiaszheller mentioned this pull request May 15, 2023
Merged
@tobiaszheller tobiaszheller mentioned this pull request Jun 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

+1 more reviewer

@EdwardDowling EdwardDowling EdwardDowling approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

audit-log Issues related to Teleports Audit Log size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tobiaszheller @rosstimothy @EdwardDowling