bcgov
Enhancements to tenant logging
Currently, each log statement generated by a tenant in a multi-tenant instance of ACA-Py is prefixed with the tenant's wallet_id - see here and here.
For Traction, however, we would like to use the tenant_id rather than the wallet_id to identify a tenant: this is because of the desire to move towards not exposing a tenant's root credentials for managed wallets.
We need a custom log handler class that will allow to use tenant_id as log statement identifier.
Is this for traction or aca-py? It sounds like the issue is with log messages that are logged by aca-py, but does aca-py know the tennant_id?
Is this for traction or aca-py? It sounds like the issue is with log messages that are logged by aca-py, but does aca-py know the tennant_id?
This is for Traction, ACA-Py has no knowledge of the tenant_id as it is used internally by the innkeeper plugin.
I’m wondering if this needs to be in the logs. I assume we’ll need a splitter for the logs and that could handle the walletId to tenant_id correspondence. The walletId could be removed from the logs as part of the splitting.
It would be easier to have ACA-Py log the tenant id rather than having to maintain a service with the mapping to reconcile the logs - if I understand correctly what you mean. If the tenant id is already in the logs, we only need a filter to remove any non-relevant information.
My idea would be to make it possible for a service to serve the "sanitized" logs to each tenant (similar to what OpenShift does with pods) rather than have the operations team fish them out, sanitize them and send them back to each tenant who requested it.
Could the logging in ACA-Py be extended to allow a plugin, like traction's innkeeper plugin, to specify (inject) the identifier it wants to use for a tenant's logs rather than hard coding the wallet id as the identifier? Wallet id could be used as the default if nothing else is supplied.
My idea would be to make it possible for a service to serve the "sanitized" logs to each tenant (similar to what OpenShift does with pods) rather than have the operations team fish them out, sanitize them and send them back to each tenant who requested it.
My point is that regardless of what identifier is used, the tenants only ever see their own logs — not anyone other tenant. What was explained the other day was that the log is produced combined and so something needs to split it, and if that is already needed, stripping off the identifier in the same process shouldn’t be an issue. What am I missing? Or worse case, the tenant sees only its own log.
I’m certainly not suggesting we need any manual intervention.
Could the logging in ACA-Py be extended to allow a plugin, like traction's innkeeper plugin, to specify (inject) the identifier it wants to use for a tenant's logs rather than hard coding the wallet id as the identifier? Wallet id could be used as the default if nothing else is supplied.
That's what we need to figure out. If the innkeeper plugin can inject its own log handler implementation then we should be good. I guess this issue needs some investigation to understand what is/isn't possible before choosing a direction.
I’m certainly not suggesting we need any manual intervention.
I misread the comment then, I thought you meant we keep "status-quo" for logs to be served by the ops team when requested.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
