Skip to content

Audit runner registration events

Pedro Pombeiro (OOO on the week of Oct 14th-18th) requested to merge pedropombeiro/335509/2-add-runner-registration-audit-event into master

What does this MR do and why?

Describe in detail what your merge request does and why.

This MR adds audit logs for runner registrations (instance, group, or project level).

There are a few aspects that require some input from the @gitlab-org/manage/compliance group:

  • In Audit Event Schemas, it is mentioned that author is required. There is a minor technical hurdle to the implementation of this MR: because runner registrations are normally done through the REST API and only require a runner registration token, we don't have a User we can assign to the author, so normally the Author column would show An unauthenticated user (removed):

    2021-12-23_at_17.33

    Ideally, we want to show part of the runner registration token in the Author column so that the admin can easily check for matches to the token. In order to achieve this, I've created a Gitlab::Audit::RunnerRegistrationTokenAuthor class derived from Gitlab::Audit::NullAuthor, which holds a few additional properties required for rendering the URL.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

2021-12-23_at_17.41

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Ensure that you have a Premium license assigned to your GDK instance

  2. Register a GitLab runner against the GDK instance (replace TOKEN with the token found in http://gdk.localhost:3000/admin/runners):

    gitlab-runner register \
        --non-interactive \
        --executor "shell" \
        --url "http://gdk.localhost:3000/" \
        --description "Instance audit log test runner" \
        --tag-list "shell,gdk,mac,test" \
        --run-untagged="false" \
        --locked="false" \
        --access-level="not_protected" \
        --registration-token="${TOKEN}"

  3. Visit the instance audit page: http://gdk.localhost:3000/admin/audit_logs

Expected results

  • You should see an entry for each of the runners registered. Same in group audit page for group runners (e.g. http://gdk.localhost:3000/groups/h5bp/-/audit_events) and in project audit page for project runners.
  • You should be able to click the Author field and be taken to the CI/CD settings page of the respective group/project.
  • The link in the Object field should match the link to the respective runner details page.
  • Any errors should also appear in the action column. For example, if the limit of runners in the given scope is hit.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Part of #335509 (closed)

Edited by Pedro Pombeiro (OOO on the week of Oct 14th-18th)

Merge request reports