Add the cert.create event
#9822
Conversation
espadolini
added
audit-log
|
@espadolini Can you provide an example of what the event looks like, in particular the subject field? |
Updated the PR description. |
espadolini
force-pushed
the
espadolini/event-certsuseremit
branch
from
4db171d to
ac80782
Compare
codingllama
changed the title
certs.user.emit eventuser.cert.create event
|
@espadolini I think we should break up the Subject into fields on the event. Users have to parse it right now and it's going to just get harder as we add support for Windows. Plus, even if we say something like it's comma separated, that will be what users expect forever and we'll be stuck with it even if it doesn't work for us in the future. Also, what do you think about making it |
I did it this way because I intended it to be more for security audit/postmortem situations rather than general event consumption. Should we replicate every field that goes into a
Yeah, that's probably better. |
espadolini
force-pushed
the
espadolini/event-certsuseremit
branch
from
ac80782 to
ff1c1e1
Compare
|
@espadolini Let's change |
espadolini
force-pushed
the
espadolini/event-certsuseremit
branch
from
ff1c1e1 to
1de2ca1
Compare
There was a problem hiding this comment.
@espadolini, please push changes after reviews to new commits, so it's easier to what changed in relation to the last round.
Sorry about that, I tend to just amend commits if they're almost completely rewritten - I'll be more mindful about it in the future. |
No worries. In an ideal world GitHub would be more helpful in showing diffs. Or maybe I'm just bad at GitHub? 🤷 |
|
@espadolini Looks good to me, but make sure you make the webapps changes so this event shows up in the UI. Feel free to merge this into |
For now, this is only emitted for user certificate issuance.
espadolini
force-pushed
the
espadolini/event-certsuseremit
branch
from
c669167 to
bd7f327
Compare
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
* Add the `cert.create` event For now, this is only emitted for user certificate issuance. * Make `cert_type` a string rather than an enum * Match field names and json tags in events.Identity * Change events.Identity.Traits to be a wrappers.LabelValues/wrappers.Traits * Event code shouldn't be under T10xx anymore
This adds an event that's emitted whenever an auth server issues a certificate (or a set of certificates, like the SSH+TLS pair that is issued to users). The event is only emitted on user cert generation for now.
Sample events:
Local login
{ "ei": 0, "event": "cert.create", "uid": "f41a1615-5147-4a1f-8a29-4f62ab0285d3", "code": "TC000I", "time": "2022-01-21T15:41:59.299Z", "cluster_name": "localtele.example.com", "cert_type": "user", "identity": { "user": "espadolini", "roles": [ "access", "auditor", "editor" ], "logins": [ "espadolini" ], "expires": "2022-01-22T03:41:59.298282Z", "route_to_cluster": "localtele.example.com", "traits": { "logins": [ "espadolini" ] }, "teleport_cluster": "localtele.example.com" } }OIDC login
{ "ei": 0, "event": "cert.create", "uid": "8aa10300-4130-41ba-823f-508af9098688", "code": "TC000I", "time": "2022-01-21T15:32:43.448Z", "cluster_name": "localtele.example.com", "cert_type": "user", "identity": { "user": "[email protected]", "roles": [ "access" ], "logins": [ "-teleport-nologin-c5f6c25c-cb65-456c-bcca-d38c3f6b2cfa" ], "expires": "2022-01-22T21:32:43.439044Z", "route_to_cluster": "localtele.example.com", "traits": { "at_hash": [ "uO_uGk7zRUoNWDZUnWi3gg" ], "aud": [ "289270662827-193i30qgssofegigee0bad0gv6mr26pl.apps.googleusercontent.com" ], "azp": [ "289270662827-193i30qgssofegigee0bad0gv6mr26pl.apps.googleusercontent.com" ], "email": [ "[email protected]" ], "groups": [ "[email protected]", "[email protected]" ], "hd": [ "teleportinfra.dev" ], "iss": [ "https://accounts.google.com" ], "picture": [ "https://lh3.googleusercontent.com/a/default-user=s96-c" ], "sub": [ "101835025516069956467" ] }, "teleport_cluster": "localtele.example.com" } }OIDC login after assuming a role through an access request
{ "ei": 0, "event": "cert.create", "uid": "5867c39c-cbd9-4216-9c74-1e66f2800cf7", "code": "TC000I", "time": "2022-01-21T15:38:06.838Z", "cluster_name": "localtele.example.com", "cert_type": "user", "identity": { "user": "[email protected]", "roles": [ "access", "auditor" ], "logins": [ "-teleport-nologin-ecdf1efb-59c4-4abf-934f-3e1e085a53b9" ], "expires": "2022-01-22T21:37:32.018833Z", "route_to_cluster": "localtele.example.com", "traits": { "at_hash": [ "JuNmTsSRPXl14Jj5Qt7M2A" ], "aud": [ "289270662827-193i30qgssofegigee0bad0gv6mr26pl.apps.googleusercontent.com" ], "azp": [ "289270662827-193i30qgssofegigee0bad0gv6mr26pl.apps.googleusercontent.com" ], "email": [ "[email protected]" ], "groups": [ "[email protected]", "[email protected]" ], "hd": [ "teleportinfra.dev" ], "iss": [ "https://accounts.google.com" ], "picture": [ "https://lh3.googleusercontent.com/a/default-user=s96-c" ], "sub": [ "101835025516069956467" ] }, "teleport_cluster": "localtele.example.com", "access_requests": [ "44aa82d6-d8d3-4b11-85e8-6f548058b86d" ] } }Fixes half of TEL-Q321-7.
Closes #9591.