[VAULT-22480] Add audit fallback device #24583
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Initial commit on adding filter nodes for audit * tests for audit filter * test: longer filter - more conditions * copywrite headers * Check interface for the right type
* Support filter nodes in backend factories and add some tests * More tests and cleanup * Attempt to move control of registration for nodes and pipelines to the audit broker (#24505) * invert control of the pipelines/nodes to the audit broker vs. within each backend * update noop audit test code to implement the pipeliner interface * noop mount path has trailing slash * attempting to make NoopAudit more friendly * NoopAudit uses known salt * Refactor audit.ProcessManual to support filter nodes * HasFiltering * rename the pipeliner * use exported AuditEvent in Filter * Add tests for registering and deregistering backends on the audit broker * Add missing licence header to one file, fix a typo in two tests --------- Co-authored-by: Peter Wilson <[email protected]>
github-actions
bot
added
the
hashicorp-contributed-pr
|
CI Results: |
…lways add to backends when successful
added 6 commits
January 5, 2024 11:20
|
Build Results: |
marcboudreau
suggested changes
Jan 5, 2024
builtin/audit/syslog/backend.go
Outdated
| cfg, err := formatterConfig(conf.Config) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("%s: failed to create formatter config: %w", op, err) | ||
| } | ||
|
|
||
| cfg, err = formatterConfig(conf.Config) |
There was a problem hiding this comment.
Good spot! Checked the history and that's a leftover from updating the branch that I missed (git duplicated the code block above 🤨).
vault/audit_broker.go
Outdated
| return nil | ||
| } | ||
|
|
||
| name = strings.TrimSpace(name) |
There was a problem hiding this comment.
This TrimSpace mutation was already done above.
miagilepner
reviewed
Jan 8, 2024
| @@ -60,6 +62,21 @@ func Factory(_ context.Context, conf *audit.BackendConfig, useEventLogger bool, | |||
| return nil, fmt.Errorf("%s: nil salt view", op) | |||
| } | |||
|
|
|||
| // The config options 'fallback' and 'filter' are mutually exclusive, a fallback | |||
There was a problem hiding this comment.
This same chunk of code and its tests are repeated for each of the audit backends. Can this instead be moved to a shared function?
marcboudreau
approved these changes
Jan 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a fallback device feature to Vault's audit, which includes:
fallbackoption in the API and CLI calls to enable an audit device, which accepts a boolean value and is mutually exclusive with thefilteroption added in [VAULT-22481] Add audit filtering feature #24558.AuditBrokeradding a separateeventlogger.Brokerfor a fallback device.The fallback device is designed to be used in cases when the Vault operator has configured only filtered audit device(s) and wants to have an additional device that will "catch" all of the entries that were filtered out of the other devices. This can be thought of as being similar to a
defaultcase in a Go switch statement.The fallback device is a singleton, in that you can only have one enabled at a time.
For more details see RFC number VLT-291.
No changelog entry as this is a new feature with a changelog added in PR #24558.