Add audit log stream to stackdriver filter#2970
Conversation
Signed-off-by: davidraskin <draskin@google.com>
Signed-off-by: davidraskin <draskin@google.com>
|
😊 Welcome @davidraskin! This is either your first contribution to the Istio proxy repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
googlebot
added
the
cla: yes
istio-testing
added
needs-rebase
Signed-off-by: davidraskin <draskin@google.com>
istio-testing
removed
the
needs-rebase
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
removed
the
do-not-merge/work-in-progress
| bool disable_server_access_logging = 1; | ||
|
|
||
| // Optional. Controls whether to export audit log. | ||
| bool enable_server_access_auditting = 10; |
There was a problem hiding this comment.
nit: can we name this audit_server_access ?
extensions/stackdriver/log/logger.cc
Outdated
|
|
||
| // Name of the HTTP server access log. | ||
| constexpr char kServerAccessLogName[] = "server-accesslog-stackdriver"; | ||
| constexpr char kAuditAccessLogName[] = "server-accesslog-stackdriver-audit"; |
There was a problem hiding this comment.
is this naming convention important? does it need to match the historic name for the other access logs, or should we consider calling this server-audit-log (or something else less verbose)?
There was a problem hiding this comment.
I don't think that's important. I just went the simplest route. I'll rename it.
|
This might be a dumb question, but isn't it that request should not proceed until audit log succeed? Looks like the current implementation is still logging at Log callback which happens after request finishes. |
|
The request is not exported if there are no audit log entries added to it. This works the same way as with regular log entries currently. |
extensions/stackdriver/log/logger.cc
Outdated
| log_entries_request_ = | ||
| std::make_unique<google::logging::v2::WriteLogEntriesRequest>(); | ||
|
|
||
| audit_entries_request_ = |
There was a problem hiding this comment.
check this out... I have made it a map: https://github.com/istio/proxy/pull/2955/files#diff-d116ca95f1292dece4d352210d220a13 so would be easier to add many types of entries now...
|
@davidraskin Yeah, but current access log implementation is for telemetry and at best effort. The exporting could have transient failure which would leave some requests not logged. Is this fine for audit log? I thought the assumption of audit log is that every request reaches application must be logged. |
|
@bianpengyuan I see what you're saying. I think it's still important to see the result of the request, and whether it succeeds or fails. But maybe it should fail closed rather than open. |
extensions/stackdriver/log/logger.cc
Outdated
|
|
||
| // Name of the HTTP server access log. | ||
| constexpr char kServerAccessLogName[] = "server-accesslog-stackdriver"; | ||
| constexpr char kAuditAccessLogName[] = "server-accesslog-stackdriver-audit"; |
There was a problem hiding this comment.
Out of curiosity, have you thought about fill in protoPayload in logEntry, which supports google.cloud.audit.AuditLog: https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog. Sound like that is a more standard way to do audit log at Google?
There was a problem hiding this comment.
Yes, the AuditLog payload is used primarily for auditting GCP service calls, it doesn't apply to application logging, afaik.
There was a problem hiding this comment.
@bianpengyuan @davidraskin can you find out if google.cloud.audit.AuditLog cannot be used to audit other services?
There was a problem hiding this comment.
@mandarjog Maybe it can theoretically be used, because I think the only difference is the proto payload, but the Audit Log docs state that it is for GCP API calls. Additionally, configuring the Data Access Audit Logs is done through the Cloud Console, which could be confusing since that wouldn't be the case here.
There was a problem hiding this comment.
Should these logs be actually called audit logs? https://cloud.google.com/logging/docs/audit cloud audit logs looks like are logs for telling who or what accessed a GCP resource... This is more about capturing auth info for application?
There was a problem hiding this comment.
They're still audit logs I think. Just ones at the application level, separate from GCP audit logs. We can call them IstioAudit logs to reduce confusion.
Signed-off-by: davidraskin <draskin@google.com>
Signed-off-by: davidraskin <draskin@google.com>
istio-testing
added
the
needs-rebase
Signed-off-by: davidraskin <draskin@google.com>
Signed-off-by: davidraskin <draskin@google.com>
Signed-off-by: davidraskin <draskin@google.com>
|
/retest |
There was a problem hiding this comment.
Code lgtm, the only comment is about adding more details on audit logging. Also can we make sure that it is ok for audit log happens after request finishes? Sorry for being paranoid here, but I still don't feel this is quite right... @liminw Can you comment on this?
| false /* audit */); | ||
| } | ||
|
|
||
| if (enableAuditLog() && shouldAuditThisRequest()) { |
There was a problem hiding this comment.
need to call ::Wasm::Common::populateExtendedRequestInfo(&request_info); here too?
extensions/stackdriver/log/logger.cc
Outdated
| auto log_entry_type = GetLogEntryType(outbound); | ||
| const ::Wasm::Common::FlatNode& local_node_info, bool outbound, | ||
| bool audit) { | ||
| const LogEntryType log_entry_type = GetLogEntryType(outbound, audit); |
There was a problem hiding this comment.
no need for const with enum
extensions/stackdriver/log/logger.cc
Outdated
| google::logging::v2::LogEntry* log_entry) { | ||
| const ::Wasm::Common::FlatNode& peer_node_info, | ||
| google::logging::v2::LogEntry* log_entry, bool outbound, bool audit) { | ||
| auto& entries_request = |
There was a problem hiding this comment.
this can be const auto& i think...
|
code looks ok, with some minor nits.. can you also add an integration test (https://github.com/istio/proxy/blob/master/test/envoye2e/stackdriver_plugin/stackdriver_test.go) ? |
Peter, you are totally correct. Audit log has strong reliability requirement. This is the first step of enabling configurable audit feature. Going forward, we plan to improve the reliability of audit stream, which requires a separate design. |
|
@liminw Ok, thanks for clarification! Can you elaborate a bit on |
|
@bianpengyuan If request completion is the concern, we can just do the logging in the requestHeaders callback, and fail if there is some issue, and/or have an extra verification step to see that the log is received. |
That would be ideal IMO. thanks! |
I don't think we are close to claim audit feature production ready. As far as I know, Cloud audit team has done a lot of work to improve the reliability of audit stream. We still need to learn from them and design for it. But this can be done incrementally. |
Signed-off-by: davidraskin <draskin@google.com>
istio-testing
added
size/XL
|
/retest |
Signed-off-by: davidraskin <draskin@google.com>
| respCode string | ||
| logEntryCount int | ||
| }{ | ||
| {"StackdriverAudit", "200", 5}, |
There was a problem hiding this comment.
As there is only one testcase, we don't need this?
gargnupur
left a comment
gargnupur
left a comment
There was a problem hiding this comment.
Just have one minor nit.. adding "do-not-merge" for that and approval from @bianpengyuan
Signed-off-by: davidraskin <draskin@google.com>
|
/cherry-pick release-1.7 |
|
@elfinhe: #2970 failed to apply on top of branch "release-1.7": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@elfinhe: new issue could not be created for failed cherrypick: status code 410 not one of [201], body: {"message":"Issues are disabled for this repo","documentation_url":"https://docs.github.com/v3/issues/"} DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
10 participants
This adds an audit log stream to stackdriver. The goal would be to have requests to be auditted will be filtered through the audit action on Istio Authorization Policy.
See: istio/api#1552, Audit log stream proposal
cc @liminw @gargnupur @kyessenov @mandarjog
This is WIP. It should only be merged after envoyproxy/envoy#11705