hiera-http icon indicating copy to clipboard operation
hiera-http copied to clipboard

Published 20 hours ago verified publisher icon crayfishx

Implement audit logging

Open quark-zju opened this issue 9 years ago • 3 comments

As with #24, if the HTTP content is controlled by other team, we probably want to log every HTTP responses, for being able to audit them later.

This patch add an option to log all HTTP requests and responses to a specified directory. Inspired by git, responses are gzipped and stored using their SHA1 as filenames. They can be easily handled with zcat, zless, zgrep, etc.

quark-zju avatar May 15 '15 16:05 quark-zju

Shouldn't this be more of a generic Hiera function rather than the job of an individual back end?

crayfishx avatar Jun 03 '15 08:06 crayfishx

No. As previously explained, remote HTTP(s) data (http backend) is controlled by "untrusted" team. Data from other backends are managed by a trusted team. Therefore only remote HTTP(s) responses should be audited.

quark-zju avatar Jun 03 '15 09:06 quark-zju

Im not sure that there are going to be many use cases to make this part of the HTTP back end - and it does seem like people wanting to audit lookups may wish to do so with a variety of backends - have you thought about putting this logic into it's own backend, a pseudo backend called 'audit' that always returns nill - you can then add options to hiera.yaml to define what gets audited - that would seem to solve your issue and also make the functionality available to all users of all backends.

Thoughts?

crayfishx avatar Jun 04 '15 09:06 crayfishx