-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: log traffic between Vault and token issuer #42
Comments
I'm guessing that we would want to base it on the go-hclog package. |
Or possibly it could just go through an https proxy that logs all the traffic. |
Not to go digging into your issues @DrDaveD.... but what do you think about an external audit capability? Currently audit logs exist at the request level because audits are generated by the Core However, via I think part of the issue with the latter would be scope of audit message obfuscation (hmac) -- we'd probably need new mount tunable options to do so. This would also be useful upstream for anyone building a KMIP plugin as that speaks a binary wire protocol and thus can't go through the Core router, requiring them to listen on another port. So I could see it being generally useful. Just a thought! |
That sounds like a great idea to me. I didn't note it here but I have since that time successfully got a test proxy configuration working using mitmproxy. I think the performance of that would not be sufficient for production use and I was thinking of trying to redo it with nginx or varnish, but a builtin framework option would be much better. |
The auditlog keeps all the traffic between vault and its client, but we have no similar log for traffic between vault and the token issuer. This makes problems very difficult to debug. The majority of traffic exchanged with the token issuer is with the Puppetlabs vault-plugin-secrets-oauthapp, but there is also traffic through the Hashicorp vault-plugin-auth-jwt and ideally there would be a mechanism for both.
The text was updated successfully, but these errors were encountered: