gitlab-shell.log doesn't differentiate between deploy keys and user keys
As part of our increased security monitoring, we have started parsing our on-prem GitLab logs. One of the things we're gathering is the last time a user has accessed the system.
Unfortunately, it appears that gitlab-shell.log associates accesses by deployment keys to the user who created them, even if that user is blocked from accessing gitlab. This makes it impossible to tell the difference between an access from a user key, and access from a deployment key.
time="2019-08-06T16:30:27-04:00" level=info msg="executing git command" command="gitaly-upload-pack unix:/var/opt/gitlab/gitaly/gitaly.socket {\"repository\":{\"storage_name\":\"default\",\"relative_path\":\"MyGroup/MyRepo.git\",\"git_object_directory\":\"\",\"git_alternate_object_directories\":[],\"gl_repository\":\"project-437\",\"gl_project_name\":\"\"},\"gl_repository\":\"project-437\",\"gl_id\":\"key-168\",\"gl_username\":\"myuser\",\"git_config_options\":[],\"git_protocol\":null}" pid=30257 user="user with id key-168"
In the above example, key-168
is not one of myuser
's keys, but the access is still logged under their name. I suspect that the user may have created this deployment key prior to leaving the company, which is why this association is happening.
Is this intentional, and if so, would it be possible to add another field to the log output that denotes this event was from a deployment key rather than a user key? Without such a field, it looks like terminated/blocked users are accessing our system, which should be impossible.