[Feature Request] Audit log of operations on the Options page

[yk634]

What happened: There is no way to verify who performed the operations on the Options page, such as deleting a pipeline or changing the checkout url.

What you expected to happen: Output the history of operations on the Options page as an audit log, so that the administrator can check which user performed the operation.

[kumada626]

Proposal

For audit logs, we want to know that they are audit logs and who did what and when.

Log Format

proposal 1: Add prefix on info log

Add prefix on info log that indicates audit log such as [Audit] and add user information who did it. ex.

{"level":"info","message":"[Audit] user foo:github deletes pipeline pipelineId:1234.","timestamp":"2022-07-07T04:12:56.707Z"}

This can be easily implemented by using screwdriver-logger.info().

proposal 2: Create Audit Log custom logger

Since winston can use custom format log, we implement custom log for audit logs. ex.

{"level":"audit","message":"user foo:github deletes pipeline pipelineId:1234.","timestamp":"2022-07-07T04:12:56.707Z","user":"foo:github","action":"Delete","resource":"pipeline:1234"}

However, this approach may be difficult to maintain compatibility with existing logs.

I prefer to develop with proposal 1 because it is enough to filter audit log by adding prefix message. If we need more additional property other than message, we discuss custom audit format like proposal 2.

When to output Audit Logs

Audit logs should be outputted in such cases.

• Users Create/Delete pipeline
• Users Update checkout URL/Source Directory
• Users Create/Update/Delete Secrets
• Users Create/Refresh/Delete Pipeline token