Skip to content

Added create api for namespace filters for group level destinations

Hitesh Raghuvanshi requested to merge 424176-create-api-namespace-filters into master

What does this MR do and why?

This MR adds a create API for adding namespace(subgroup and project) filters to group level custom http external audit event destinations.

Context

  1. To summarise what are custom http external audit event destinations, any audit event generated for the top level group to which this destination is associated will be streamed to this destination.
  2. This MR will help in creating namespace filters for the destinations, which means that now audit events for the subgroup and projects of the top-level group can be filtered for a destination. And in case a namespace filter is added for the destination, the destination will only receive audit events specific to that namespace(subgroup or project).

How to set up and validate locally

  1. You need to have Ultimate license for the top-level group on which you want to test.
  2. Create audit event destinations for the group as per https://docs.gitlab.com/ee/administration/audit_event_streaming/#add-a-new-http-destination. I would suggest to add atleast 2, one for a subgroup and one for a project.
  3. Create several subgroups and projects for the group. You can create multiple level of hierarchies too. I would suggest creating atleast 1 subgroup and 1 project.
  4. Open graphql explorer https://gitlab.localdev:3000/-/graphql-explorer.
  5. List down all the external destination for the group by running following query, replace path of group with yours. This query will return all the destinations associated with the group and any namespace filters associated with them.
query externalAuditEventDestinations {
  group(fullPath: "Twitter") {
    id
    externalAuditEventDestinations {
      nodes {
        destinationUrl
        verificationToken
        id
        name
        headers {
          nodes {
            key
            value
            id
            active
          }
        }
        eventTypeFilters
        namespaceFilter {
          id
          namespace {
            id
            name
            fullName
          }
          externalAuditEventDestination {
           id 
          }
        }
      }
    }
  }
}
  1. Let's create a namespace filter for a subgroup path by running following mutation, you can validate the namespace filter getting created by running query in step 5. Please use the destination id you received in step 5.
mutation auditEventsStreamingHttpNamespaceFiltersAdd {
  auditEventsStreamingHttpNamespaceFiltersAdd(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/6",
    groupPath: "twitter/sub1/sub2"
  }) {
    errors
    namespaceFilter {
      id
      namespace {
        id
        name
        fullName
      }
      externalAuditEventDestination {
       id 
      }
    }
  }
}
  1. Now, create a namespace filter for one of the projects of the top-level group. You can validate the namespace filter getting created by running query in step 5. Please use the destination id you received in step 5.
mutation auditEventsStreamingHttpNamespaceFiltersAdd {
  auditEventsStreamingHttpNamespaceFiltersAdd(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/5",
    projectPath: "twitter/sub1/sub2/subproj3"
  }) {
    errors
    namespaceFilter {
      id
      namespace {
        id
        name
        fullName
      }
      externalAuditEventDestination {
       id 
      }
    }
  }
}
  1. There are several error scenarios, which I am listing down:
    1. The project path is invalid.
    2. The group path is invalid.
    3. The project path does not belong to top-level group.
    4. The group path does not belong to top-level group.
    5. Namespace filter for the destination already exists.
    6. Namespace filter for the group or project path already exists.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #424176 (closed)

Edited by Hitesh Raghuvanshi

Merge request reports

Loading