Audit logs for Group Level Secrets
Why this MR ?
- To solve this issue
- We need to implement audit logs for Group secret operations for compliance reasons
What does this MR do ?
- Add audit event type definitions for group secret operations
- Add logic to parse and log group secret events
- Add unit tests
References
Screenshots
| Group Audit Logs |
|---|
|
How to set up and validate locally
- Testing this locally is tricky as we yet do not have UI for Group Secret CRUD operations
- Pull this branch changes locally
- Use these docs as a reference to configure Openbao to send audit events as HTTP requests to the Rails API
- create, read and delete group secrets from Rails console
user = User.find_by(username: 'your_username')
group = Group.find_by(path: 'your_group_path')
Labkit::Correlation::CorrelationId.use_id("test_correlation_id") do
result = SecretsManagement::GroupSecrets::CreateService.new(group, user).execute(
name: 'TEST_AUDIT_SECRET',
value: 'test_secret_value',
environment: '*',
protected: false,
description: 'Test secret for audit log verification'
)
puts "Create result: #{result.success? ? 'SUCCESS' : result.message}"
end
- Testing read event in a CI pipeline is a bit more tricky. Follow these steps - !216840 (merged) to trigger the read event.
- Find the log for read event from this file
~/path_to_your_gdk/gdk/log/openbao/audit-raw.log - Then go to Rails console and execute
audit_log = SecretsManagement::AuditLog.new(raw_audit_log_json_copied_as_string)
audit_log.log!MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Jayakrishnan Mallissery