[Rails] OpenBao HTTP Audit Log Collection for Streaming
Why are we doing this work
We need to build the feature for Gitlab Instance administrators, Group owners and Project Maintainers to access important audit events related to Secrets Manager. Currently, Openbao has it's own internal event auditing system but there exists NO way for a Gitlab user to get this information and this issue deals with getting this information from Openbao to Rails and use Gitlab's internal audit events to make it available to users.
Relevant Links
- ADR
- ADR issue with discussions
- Define new audit events in Gitlab
- https://docs.gitlab.com/user/compliance/audit_event_schema/
- https://docs.gitlab.com/administration/compliance/audit_event_streaming/
- Openbao MR
- Openbao issue
- Openbao Charts MR
- Gitlab Charts MR
- Omnibus MR
Non-functional requirements
-
Documentation: -
Performance: -
Testing:
Implementation plan (WIP)
- TO DO - How to silently drop requests if the API cannot handle the requests from Openbao ?
- Work with the infra team to add a shared application secret between Rails and Openbao - See Slack Thread
- Configure Openbao http audit device with the new header
-
Rails MR to handle the following changes
- Add a new internal API that will be hit by Openbao with audit event JSON
- Define audit events for all types of actions
- Add logic to map the audit event JSON payload and log the event
Verification steps (To be added)
Edited by Jayakrishnan Mallissery