external_cloud_audit: resource by tobiaszheller · Pull Request #32833 · gravitational/teleport

tobiaszheller · 2023-10-02T09:10:44Z

This part adds external_cloud_audit as resource.
You can have only two resources as external cloud audit: draft and cluster. Draft is now mutable, and there is CRUD around it. You will be also to use it for test connection.
To use external audit in cluster, now you need to call PromoteToClusterExternalCloudAudit, which clones existing draft as cluster resource.
They are both of the same kind, only difference is name, which is hardcoded.
Depends on: #33022

Part of: https://github.com/gravitational/cloud/issues/4661
RFD: https://github.com/gravitational/cloud/blob/rfd/77-bring-your-own-bucket/rfd/0077-Bring-your-own-bucket.md

espadolini

What's the plan to enforce that cluster_external_audit must always refer to an existing external_audit?

tobiaszheller · 2023-10-02T13:40:54Z

What's the plan to enforce that cluster_external_audit must always refer to an existing external_audit?

I was planning to have following logic in grpc service:

func SetClusterExternalAudit(name) {
	got, err := storage.GetExternalAudit(ctx, name)
	if err != nil {
		// if external audit must exists before setting it as cluster external audit.
		return trace.Wrap(err)
  	}
  	if err := s.storage.SetClusterExternalAudit(ctx, name); err != nil {
    		return trace.Wrap(err)
  	}
}

func DeleteExternalAudit(name) {
  	got, err := s.storage.GetClusterExternalAudit(ctx)
	if err != nil {
		if !trace.IsNotFound(err) {
			return nil, trace.Wrap(err)
		}
		// Not found happens when we don't have any cluster external audit.
		// In that case we can remove external audit.
	}
	if got.GetName() == req.GetName() {
		return nil, status.Errorf(codes.FailedPrecondition, "cannot delete external audit used in cluster, DeleteClusterExternalAudit first")
	}
	if err := s.storage.DeleteExternalAudit(ctx, req.GetName()); err != nil {
		return nil, trace.Wrap(err)
	}
}

espadolini · 2023-10-02T16:14:57Z

I was planning to have following logic in grpc service:
[cut]

That's vulnerable to race conditions, you can delete the external_audit between storage.GetExternalAudit and storage.SetClusterExternalAudit.

Until we figure out transactional writes, your best bet is to put a backend lock around DeleteExternalAudit and SetClusterExternalAudit (not sure if you need the lock for DeleteClusterExternalAudit).

espadolini · 2023-10-03T08:33:56Z

What's the need for the multiple configuration objects, btw? Just the UX flow we decided on?

We could keep the ExternalCloudAudit objects for ui, checks and testing but then simply copy the entire configuration onto the singleton ClusterExternalCloudAudit item whenever we need to enable it.

tobiaszheller · 2023-10-03T08:43:01Z

What's the need for the multiple configuration objects, btw? Just the UX flow we decided on?

We could keep the ExternalCloudAudit objects for ui, checks and testing but then simply copy the entire configuration onto the singleton ClusterExternalCloudAudit item whenever we need to enable it.

Just to understand you correctly, instead of passing name to ClusterExternalCloudAudit, you want to copy it on enable, and from that time on, they will be separate entities, right?
We could do that (it will allow us to updating ExternalCloudAudit), but there is risk that someone will edit ExternalCloudAudit after it was updated to cluster and changes to cluster won't be propagated, until someone again calls EnableClusterExternalCLoudAudit. And we will probably need new name, because it's no longer enable, more like Promote? although it does not suggest that we will copy it 🤔

tobiaszheller · 2023-10-09T13:07:27Z

i have added new command, because we will extend it also with testConnection

tobiaszheller · 2023-10-09T13:17:35Z

@espadolini based on your comment with cloning new proto was spec was designed: #33022
Right now you can have only two resources as external cloud audit: draft and cluster. Draft is now mutable, and you have CRUD around it. You will be also to use it for test connection.
To use external audit in cluster, now you need to call PromoteToClusterExternalCloudConfig, which clones existing draft as cluster resource.
They are both of the same kind, only difference is name, which is hardcoded.

cc @bl-nero

bl-nero

I'm publishing a part of my comments, because I need to take a break, and then I'll move on to the rest.

tobiaszheller · 2023-10-11T13:14:15Z

@bl-nero a606832 should apply most of your requests

public-teleport-github-review-bot · 2023-10-12T10:47:55Z

@tobiaszheller See the table below for backport results.

Branch	Result
branch/v14	Create PR

* [v14] external cloud audit proto Backport #33022 to branch/v14 * [v14] external_cloud_audit: add resource layer Backport #32833 to branch/v14 * [v14] feat: IAM permissions for BYOBucket Backport #33416 to branch/v14 This commit adds a one-off teleport command that configures the necessary IAM permissions for the upcoming External Cloud Audit (BYOBucket) feature. An example command invocation looks like: ``` $ teleport integration configure externalcloudaudit-iam \ --aws-region us-west-2 --role nic-byob-test --policy nic-byob \ --session-recordings s3://nic-byob/sess-rec-v2 \ --audit-events s3://nic-byob/events --athena-results s3://nic-byob/results \ --athena-workgroup primary --glue-database nic_byob --glue-table nic_byob_table ``` In normal usage this command will be generated for the user so that they can just copy a command from the Web UI and run it in AWS CloudShell. The permissions generated here are based on https://github.com/gravitational/cloud/blob/rfd/77-bring-your-own-bucket/rfd/0077-Bring-your-own-bucket.md, but only include the permissions necessary for using the feature at runtime and not any permissions necessary to bootstrap/create the resources. * [v14] feat: generate randomized ExternalCloudAudit config Backport #33555 to branch/v14 * [v14] BYOB: Bootstrap Athena Infrastructure Backport #33272 to branch/v14 * [v14] feat: cached auto-refreshing AWS credentials for BYOBucket Backport #34380 to branch/v14 This commit implements a "Configurator" for the BYOBucket feature that provides AWS credentials that can be used by the v1 or v2 AWS SDKs for Go. These credentials are generated via an AWS OIDC integration: auth signs a JWT and we swap that with AWS STS for AWS credentials. It also reports whether or not the BYOB feature `IsUsed()` currently, and provides access to the current cluster ExternalCloudAudit spec. This looks a bit weird because of a chicken-egg problem where the audit log must be set up before the auth server can be created, but the auth server must be created to provide the OIDC signing facilities. This will be more clear in following PRs. * [v14] fix: correct IAM policies for BYOB Backport #34484 to branch/v14 This commit fixes the IAM policies generated by the oneoff externalcloudaudit bootstrap command based on manual testing, and brings them more in line with the original RFD https://github.com/gravitational/cloud/blob/master/rfd/0077-Bring-your-own-bucket.md * [v14] feat: enable External Cloud Audit backend Backport #34606 to branch/v14 This commit enables the External Cloud Audit (BYOBucket) feature with a fully functional backend by setting up the Athena and S3 audit components with the right AWS configurations and resource locations. * [v14] Add ExternalCloudAudit permissions to user context ACL Backport #34289 to branch/v14 --------- Co-authored-by: Tobiasz Heller <14020794+tobiaszheller@users.noreply.github.com> Co-authored-by: Logan Davis <38335829+logand22@users.noreply.github.com> Co-authored-by: matheus <matheus.battirola@goteleport.com>

tobiaszheller requested a review from nklaassen October 2, 2023 09:10

github-actions Bot requested review from bl-nero and espadolini October 2, 2023 09:11

github-actions Bot added size/lg tctl tctl - Teleport admin tool labels Oct 2, 2023

tobiaszheller force-pushed the tobiaszheller/byob-resource branch 2 times, most recently from 660727f to c04c4d4 Compare October 2, 2023 10:10

espadolini reviewed Oct 2, 2023

View reviewed changes

Comment thread api/types/externalaudit/externalaudit.go Outdated

Comment thread tool/tctl/common/resource_command.go Outdated

tobiaszheller force-pushed the tobiaszheller/byob-resource branch from c04c4d4 to 8be00ed Compare October 2, 2023 12:11

tobiaszheller marked this pull request as draft October 3, 2023 08:27

tobiaszheller force-pushed the tobiaszheller/byob-resource branch 3 times, most recently from 6c9a543 to 07bb561 Compare October 3, 2023 08:31

tobiaszheller changed the title ~~external_audit resource~~ external_cloud_audit: resource Oct 5, 2023

tobiaszheller mentioned this pull request Oct 5, 2023

external audit proto spec v2 #33022

Merged

tobiaszheller changed the base branch from tobiaszheller/byob-proto to tobiaszheller/byob-protov2 October 9, 2023 13:04

tobiaszheller force-pushed the tobiaszheller/byob-resource branch from 7529ced to 134ca5e Compare October 9, 2023 13:04

tobiaszheller commented Oct 9, 2023

View reviewed changes

tobiaszheller marked this pull request as ready for review October 9, 2023 13:08

github-actions Bot requested review from EdwardDowling and avatus October 9, 2023 13:08

tobiaszheller removed request for EdwardDowling and avatus October 9, 2023 13:09

tobiaszheller force-pushed the tobiaszheller/byob-resource branch 2 times, most recently from a6374f4 to d8a656d Compare October 9, 2023 13:14

tobiaszheller requested a review from espadolini October 9, 2023 13:19

nklaassen approved these changes Oct 11, 2023

View reviewed changes

Comment thread tool/tctl/common/externalcloudaudit_command.go Outdated

Comment thread api/types/externalcloudaudit/externalcloudaudit.go Outdated

tobiaszheller force-pushed the tobiaszheller/byob-protov2 branch 2 times, most recently from 3353e11 to 549ff3f Compare October 11, 2023 08:03

bl-nero reviewed Oct 11, 2023

View reviewed changes

Base automatically changed from tobiaszheller/byob-protov2 to master October 11, 2023 09:23

tobiaszheller force-pushed the tobiaszheller/byob-resource branch 2 times, most recently from cbb3938 to d09cc0c Compare October 11, 2023 10:26

tobiaszheller added the backport/branch/v14 label Oct 11, 2023

tobiaszheller force-pushed the tobiaszheller/byob-resource branch from d09cc0c to 92241f8 Compare October 11, 2023 10:47

bl-nero reviewed Oct 11, 2023

View reviewed changes

tobiaszheller requested a review from bl-nero October 11, 2023 13:14

bl-nero approved these changes Oct 12, 2023

View reviewed changes

external_cloud_audit: add resource layer

b5cd054

tobiaszheller force-pushed the tobiaszheller/byob-resource branch from a606832 to b5cd054 Compare October 12, 2023 09:17

tobiaszheller added this pull request to the merge queue Oct 12, 2023

Merged via the queue into master with commit 8d99cd1 Oct 12, 2023

tobiaszheller deleted the tobiaszheller/byob-resource branch October 12, 2023 10:46

Conversation

tobiaszheller commented Oct 2, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

espadolini left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

tobiaszheller commented Oct 2, 2023

Uh oh!

espadolini commented Oct 2, 2023

Uh oh!

espadolini commented Oct 3, 2023

Uh oh!

tobiaszheller commented Oct 3, 2023

Uh oh!

tobiaszheller Oct 9, 2023

Choose a reason for hiding this comment

Uh oh!

tobiaszheller commented Oct 9, 2023

Uh oh!

Uh oh!

Uh oh!

bl-nero left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tobiaszheller commented Oct 11, 2023

Uh oh!

public-teleport-github-review-bot Bot commented Oct 12, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

tobiaszheller commented Oct 2, 2023 •

edited

Loading