dataall icon indicating copy to clipboard operation
dataall copied to clipboard
verified publisher icon data-dot-all

Hide stack logs from all users except Data.all admin users

Open TejasRGitHub opened this issue 1 year ago • 5 comments

Is your idea related to a problem? Please describe. Stack logs ( Environment, Dataset ) and also share logs are accessible to some users based on if they are owner, business owner, stewards group etc.

These stack logs help in debugging any issues for a data.all developer or an admin but for other users do not provide much info. Apart from that the stack logs also output roles and stack data which might contain sensitive / secret information.

Describe the solution you'd like To better protect information about AWS accounts and roles, it is better to provide a config which lets data.all admins decide if they want data.all users to see these logs.

The configs allows data.all admins to only allow data.all admins to view the logs and no one else.

P.S. Don't attach files. Please, prefer add code snippets directly in the message body.

TejasRGitHub avatar Sep 10 '24 17:09 TejasRGitHub

This would be configurable with config like :

{
    "modules": {
        ........,
        "s3_datasets": {
            "active": true,
            "features": {
               ..... ,
                "show_logs" : false
            }
        },
        "s3_datasets_shares": {
            "active": true,
             "features": {
                 "show_logs" : false
             }
        },
       ,..
    },
    "core": {
        "features": {
            "env_aws_actions": false,
            .....,
            "show_logs" : false
        },
    }
}

TejasRGitHub avatar Sep 10 '24 19:09 TejasRGitHub

Hi @TejasRGitHub - currently in data.all DA Admins cannot see all data.all Envs, Dataasets, and other resources with IaC Stacks which the Admin team is not a part of and thus can not see the logs for these data.all resource stacks as well

For the above example when show_logs is set to false would this feature flag mean that non-Admin teams are no longer able to view logs only or would it also be additional changes to allow admins to not view data.all resources / logs from UI?

noah-paige avatar Sep 10 '24 22:09 noah-paige

Hi @noah-paige , in our usecase , our admin team is a part of all the teams present in data.all. What we want to achieve is to block non-admin user(s) / group(s) from viewing the logs on data.all UI

Thus, when show_logs : false would not show logs on UI to non-Admin users but it will still show logs to data.all admins

TejasRGitHub avatar Sep 10 '24 22:09 TejasRGitHub

@TejasRGitHub okay makes sense - to make it more generic I would have 3 options for enabled/disabled/admin-only

but the config change sounds good

noah-paige avatar Sep 13 '24 21:09 noah-paige

That's even better. Thanks @noah-paige. Will make the changes accordingly

TejasRGitHub avatar Sep 13 '24 21:09 TejasRGitHub