You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (Jira)" <ji...@apache.org> on 2021/01/27 00:05:00 UTC

[jira] [Updated] (AIRAVATA-3404) Add audit log to API

     [ https://issues.apache.org/jira/browse/AIRAVATA-3404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marcus Christie updated AIRAVATA-3404:
--------------------------------------
    Description: 
Log the user, timestamp, the id and the object of the update for gateway metadata API operations.

The motivation is to be able to determine who made what change when, in the case of a gateway configuration (group resource profile, credential, etc.) changes by some user with admin privileges.

## Design
- only applies to app catalog create-update-delete methods
- use annotation to decorate API methods that should have audit logging
- annotation should have parameter to specific with argument is the id of the object
- annotation should have parameter to specific with argument is the object that is being updated
- like `@SecurityCheck`, annotation will assume first argument is AuthzToken and will use that to get the username and gatewayId 
- annotation aspect code should run after `@SecurityCheck`
- use the slf4j logging API to log to a special "audit log"
- log the username, gatewayId, method name, id, and JSON of the object being created/updated
- log also whether the API method threw an Exception or returned without error
  - if the API method threw an Exception, then the update may or may not have persisted

  was:
Log the user, timestamp, the id and the object of the update for gateway metadata API operations.

The motivation is to be able to determine who made what change when, in the case of a gateway configuration (group resource profile, credential, etc.) changes by some user with admin privileges.


> Add audit log to API
> --------------------
>
>                 Key: AIRAVATA-3404
>                 URL: https://issues.apache.org/jira/browse/AIRAVATA-3404
>             Project: Airavata
>          Issue Type: Bug
>          Components: Airavata API
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major
>
> Log the user, timestamp, the id and the object of the update for gateway metadata API operations.
> The motivation is to be able to determine who made what change when, in the case of a gateway configuration (group resource profile, credential, etc.) changes by some user with admin privileges.
> ## Design
> - only applies to app catalog create-update-delete methods
> - use annotation to decorate API methods that should have audit logging
> - annotation should have parameter to specific with argument is the id of the object
> - annotation should have parameter to specific with argument is the object that is being updated
> - like `@SecurityCheck`, annotation will assume first argument is AuthzToken and will use that to get the username and gatewayId 
> - annotation aspect code should run after `@SecurityCheck`
> - use the slf4j logging API to log to a special "audit log"
> - log the username, gatewayId, method name, id, and JSON of the object being created/updated
> - log also whether the API method threw an Exception or returned without error
>   - if the API method threw an Exception, then the update may or may not have persisted



--
This message was sent by Atlassian Jira
(v8.3.4#803005)