Client Manager should show clientId creation (audit) chain

NEW
Unassigned

Status

Taskcluster
Tools
2 years ago
4 months ago

People

(Reporter: pmoore, Unassigned)

Tracking

Details

(Reporter)

Description

2 years ago
For example, if

  * clientId <B> is created from clientId <A>
  * clientId <C> is created from clientId <B>

then when viewing clientId <C>, it would be useful to see it was created from clientId <B>, which in turn was created from clientId <A>.

A real example is that clientId "project/taskcluster/tc-client-go/tests" was created from clientId "mozilla-ldap/pmoore@mozilla.com" (I believe).

This chain should be shown, in this example, on this page:
  * https://tools.taskcluster.net/auth/clients/#project%252ftaskcluster%252ftc-client-go%252ftests

If temporary credentials in the creation chain should also be shown, both named and unnamed.

This way, we have a audit trail of how the clientId came into existence.
(Reporter)

Comment 1

2 years ago
s/If temporary/Temporary/
s/a audit trail/an audit trail/

:)
I'd rather just log this information to mozdef
(Reporter)

Comment 3

2 years ago
Is that transparent, or can only taskcluster admins see it? I don't know what mozdef is. :)
Mozdef is the infrasec team's centralized logging system, and the right place for an audit trail.  John was working on structured logging and feeding that to mozdef.
This seems to overlap with https://bugzilla.mozilla.org/show_bug.cgi?id=1264078
Brian, do you think our audit logs cover this?
Flags: needinfo?(bstack)

Comment 7

8 months ago
This is related to (and probably part of) part 2 of bug 1346013 I think.
Flags: needinfo?(bstack)
(Reporter)

Comment 8

4 months ago
(In reply to Dustin J. Mitchell [:dustin] from comment #4)
> Mozdef is the infrasec team's centralized logging system, and the right
> place for an audit trail.  John was working on structured logging and
> feeding that to mozdef.

We should also show this information in the web interface.
You need to log in before you can comment on or make changes to this bug.