Skip to content

athena audit logs - always pass utc to query#26784

Merged
tobiaszheller merged 1 commit intomasterfrom
tobiaszheller/auditevents-athena-pass-always-UTC
May 24, 2023
Merged

athena audit logs - always pass utc to query#26784
tobiaszheller merged 1 commit intomasterfrom
tobiaszheller/auditevents-athena-pass-always-UTC

Conversation

@tobiaszheller
Copy link
Copy Markdown
Contributor

@tobiaszheller tobiaszheller commented May 23, 2023

Part of https://github.com/gravitational/teleport.e/issues/894
RFD: https://github.com/gravitational/teleport/blob/master/rfd/0118-scalable-audit-logs.md

Query now enforces UTC time because parquet writer stores files in folders per date and date is UTC there. I believe UTC is not enforced in auth and it's up to client. This way we are sure that athena querier operates on UTC.

@tobiaszheller tobiaszheller requested a review from rosstimothy May 23, 2023 16:43
@github-actions github-actions Bot added audit-log Issues related to Teleports Audit Log size/sm labels May 23, 2023
rosstimothy
rosstimothy reviewed May 23, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do other backends handle this? Should we consistently use UTC everywhere?

@tobiaszheller
Copy link
Copy Markdown
Contributor Author

tobiaszheller commented May 23, 2023

How do other backends handle this? Should we consistently use UTC everywhere?

TLDR: no need to change in other backends, each backend handles it by themself.

dynamo is using unix helpers, so UTC:

teleport/lib/events/dynamoevents/dynamoevents.go

Lines 1087 to 1088 in be00c95

":start": l.fromUTC.Unix(),
":end": l.toUTC.Unix(),

teleport/lib/events/dynamoevents/dynamoevents.go

Lines 455 to 457 in be00c95

func daysSinceEpoch(timestamp time.Time) int64 {
return timestamp.Unix() / (60 * 60 * 24)
}

Firestore also using unix helpers:

teleport/lib/events/firestoreevents/firestoreevents.go

Lines 387 to 388 in be00c95

Where(createdAtDocProperty, ">=", fromUTC.Unix()).
Where(createdAtDocProperty, "<=", toUTC.Unix())

And filework works on time.Time struct so it's safe:

teleport/lib/events/filelog.go

Lines 489 to 506 in be00c95

fd, err := ParseFileTime(fi.Name())
if err != nil {
l.Warningf("Failed to parse audit log file %q format: %v", fi.Name(), err)
continue
}
// File rounding in current logs is non-deterministic,
// as Round function used in rotateLog can round up to the lowest
// or the highest period. That's why this has to check both
// periods.
// Previous logic used modification time what was flaky
// as it could be changed by migrations or simply moving files
if fd.After(fromUTC.Add(-1*l.RotationPeriod)) && fd.Before(toUTC.Add(l.RotationPeriod)) {
eventFile := eventFile{
FileInfo: fi,
path: filepath.Join(dir, fi.Name()),
}
filtered = append(filtered, eventFile)
}

@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from strideynet May 24, 2023 06:52
@tobiaszheller tobiaszheller added this pull request to the merge queue May 24, 2023
Merged via the queue into master with commit f4ad65f May 24, 2023
@tobiaszheller tobiaszheller deleted the tobiaszheller/auditevents-athena-pass-always-UTC branch May 24, 2023 07:42
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented May 24, 2023

@tobiaszheller See the table below for backport results.

Branch Result
branch/v13 Create PR

@tobiaszheller tobiaszheller mentioned this pull request May 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@strideynet strideynet strideynet approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

audit-log Issues related to Teleports Audit Log size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tobiaszheller @marcoandredinis @strideynet @rosstimothy