For example, if * clientId <B> is created from clientId <A> * clientId <C> is created from clientId <B> then when viewing clientId <C>, it would be useful to see it was created from clientId <B>, which in turn was created from clientId <A>. A real example is that clientId "project/taskcluster/tc-client-go/tests" was created from clientId "firstname.lastname@example.org" (I believe). This chain should be shown, in this example, on this page: * https://tools.taskcluster.net/auth/clients/#project%252ftaskcluster%252ftc-client-go%252ftests If temporary credentials in the creation chain should also be shown, both named and unnamed. This way, we have a audit trail of how the clientId came into existence.
s/If temporary/Temporary/ s/a audit trail/an audit trail/ :)
I'd rather just log this information to mozdef
Is that transparent, or can only taskcluster admins see it? I don't know what mozdef is. :)
Mozdef is the infrasec team's centralized logging system, and the right place for an audit trail. John was working on structured logging and feeding that to mozdef.
This seems to overlap with https://bugzilla.mozilla.org/show_bug.cgi?id=1264078
Brian, do you think our audit logs cover this?
This is related to (and probably part of) part 2 of bug 1346013 I think.
(In reply to Dustin J. Mitchell [:dustin] from comment #4) > Mozdef is the infrasec team's centralized logging system, and the right > place for an audit trail. John was working on structured logging and > feeding that to mozdef. We should also show this information in the web interface.