Adding name field to google cloud logging audit destinations
What does this MR do and why?
This MR is adding a new attribute name
in GraphQL APIs for google cloud logging configurations for streaming audit events to google cloud.
Following changes are been made in this MR:
- Added
name
attribute while creation, updation and listing of googleCloudLoggingConfigurations for a group. - Modified auditing for update api for not sending audit events in case there is no update in any of the attributes.
How to set up and validate locally
- You would require a group with
Ultimate
license for this and owner access for the group. - Add a custom http destination for the group by following instructions at https://docs.gitlab.com/ee/administration/audit_event_streaming/#add-a-new-http-destination. This will help in checking whether the audit events are being streamed as expected or not.
- Follow the instructions at https://docs.gitlab.com/ee/administration/audit_event_streaming/#add-a-new-google-cloud-logging-destination and add 2 google cloud logging configurations for the group. You can use dummy values for setting up these destinations, not necessary to use actual credentials.
- Login as the group admin and go to GraphQL explorer https://gitlab.localdev:3000/-/graphql-explorer for running GraphQL queries and mutations.
- In graphql-explorer dashboard run following query for listing all the google cloud configurations for the above group, you will notice that for the destinations the name field will be something like
Destination_b1428ecf-021a-4154-86b2-38b1db107599
, since on UI we haven't provided any name so this is the default generated name with some random id.
query {
group(fullPath: "<group_full_path>") {
id
googleCloudLoggingConfigurations {
nodes {
id
logIdName
googleProjectIdName
privateKey
clientEmail
name
}
}
}
}
- Now let's create a new destination by running following mutation and we will be providing destination name this time
mutation {
googleCloudLoggingConfigurationCreate(input: { name: "destination with name", groupPath: "<group_full_path>", googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events" } ) {
errors
googleCloudLoggingConfiguration {
id
googleProjectIdName
logIdName
privateKey
clientEmail
name
}
errors
}
}
- List all the destinations by running query mentioned in step 5. Notice the
name
field, in the newly created one it will be the given name. - Now, let's update the destination, especially the name by running following mutation, notice in output the following attributes will be updated, also in external http destination added in step 2, you would have received audit events for each updated column.
mutation {
googleCloudLoggingConfigurationUpdate(
input: {id: "gid://gitlab/AuditEvents::GoogleCloudLoggingConfiguration/<id>", googleProjectIdName: "updated-google-id", privateKey: "YOUR_UPDATED_PRIVATE_KEY", logIdName: "audit-events", name: "updated name"}
) {
errors
googleCloudLoggingConfiguration {
id
logIdName
privateKey
googleProjectIdName
clientEmail
name
}
}
}
- List all the destinations for this group by running query in step 5. Everything should be in place.
- Note: On updating the attributes with the same values as previous ones, audit events for those fields should not get streamed or generated.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #416572 (closed)
Edited by Hitesh Raghuvanshi