Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add non-root access with filtering support to activity export API #27846

Merged
merged 9 commits into from
Jul 24, 2024
Merged

Add non-root access with filtering support to activity export API #27846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b569fbe
VAULT-28577: change CSV MIME type to text/csv
ccapurso Jul 23, 2024
7fb9ae1
VAULT-28578: require sudo for export API
ccapurso Jul 23, 2024
60facc3
add validation and associated error handling
ccapurso Jul 23, 2024
a92681b
change export API default to 204 if no data returned
ccapurso Jul 23, 2024
ad21106
VAULT-28579: allow export API in non-root namespace, add filtering su…
ccapurso Jul 23, 2024
dfda85f
update test fixtures to reflect filtering changes
ccapurso Jul 23, 2024
540f4af
TestActivityLog_Export moved to ENT-only test
ccapurso Jul 23, 2024
5f78d14
add test to verify sudo access
ccapurso Jul 23, 2024
d778363
add changelog entry
ccapurso Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions api/sudo_paths.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ var sudoPaths = map[string]*regexp.Regexp{
"/sys/config/ui/headers": regexp.MustCompile(`^/sys/config/ui/headers/?$`),
"/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
"/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
"/sys/internal/counters/activity/export": regexp.MustCompile(`^/sys/internal/counters/activity/export$`),
"/sys/leases": regexp.MustCompile(`^/sys/leases$`),
// This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing
// slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate
Expand Down
7 changes: 7 additions & 0 deletions changelog/27846.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:change
activity: The [activity export API](https://developer.hashicorp.com/vault/api-docs/system/internal-counters#activity-export) now requires the `sudo` ACL capability.
```

```release-note:improvement
activity: The [activity export API](https://developer.hashicorp.com/vault/api-docs/system/internal-counters#activity-export) can now be called in non-root namespaces. Resulting records will be filtered to include the requested namespace (via `X-Vault-Namespace` header or within the path) and all child namespaces.
```
42 changes: 21 additions & 21 deletions vault/activity/test_fixtures/aug.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
client_id,namespace_id,timestamp,non_entity,mount_accessor
111122222-3333-4444-5555-000000000000,root,1,false,auth_1
111122222-3333-4444-5555-000000000001,root,1,false,auth_1
111122222-3333-4444-5555-000000000002,root,1,false,auth_1
111122222-3333-4444-5555-000000000003,root,1,false,auth_1
111122222-3333-4444-5555-000000000004,root,1,false,auth_1
111122222-3333-4444-5555-000000000005,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000006,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000007,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000008,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000009,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000010,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000011,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000012,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000013,bbbbb,2,false,auth_3
111122222-3333-4444-5555-000000000014,bbbbb,2,false,auth_3
111122222-3333-4444-5555-000000000015,root,2,false,auth_4
111122222-3333-4444-5555-000000000016,root,2,false,auth_4
111122222-3333-4444-5555-000000000017,root,2,false,auth_4
111122222-3333-4444-5555-000000000018,root,2,false,auth_4
111122222-3333-4444-5555-000000000019,root,2,false,auth_4
client_id,client_type,namespace_id,namespace_path,mount_accessor,timestamp
111122222-3333-4444-5555-000000000000,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000001,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000002,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000003,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000004,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000005,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000006,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000007,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000008,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000009,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000010,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000011,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000012,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000013,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000014,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000015,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000016,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000017,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000018,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000019,entity,root,,auth_4,"1970-01-01T00:00:02Z"
40 changes: 20 additions & 20 deletions vault/activity/test_fixtures/aug.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
{"client_id":"111122222-3333-4444-5555-000000000000","namespace_id":"root","timestamp":1,"mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000001","namespace_id":"root","timestamp":1,"mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000002","namespace_id":"root","timestamp":1,"mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000003","namespace_id":"root","timestamp":1,"mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000004","namespace_id":"root","timestamp":1,"mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000005","namespace_id":"aaaaa","timestamp":1,"mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000006","namespace_id":"aaaaa","timestamp":1,"mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000007","namespace_id":"aaaaa","timestamp":1,"mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000008","namespace_id":"aaaaa","timestamp":1,"mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000009","namespace_id":"aaaaa","timestamp":1,"mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000010","namespace_id":"bbbbb","timestamp":1,"mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000011","namespace_id":"bbbbb","timestamp":1,"mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000012","namespace_id":"bbbbb","timestamp":1,"mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000013","namespace_id":"bbbbb","timestamp":2,"mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000014","namespace_id":"bbbbb","timestamp":2,"mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000015","namespace_id":"root","timestamp":2,"mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000016","namespace_id":"root","timestamp":2,"mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000017","namespace_id":"root","timestamp":2,"mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000018","namespace_id":"root","timestamp":2,"mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000019","namespace_id":"root","timestamp":2,"mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000000","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000001","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000002","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000003","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000004","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_1"}
{"client_id":"111122222-3333-4444-5555-000000000005","client_type":"entity","namespace_id":"aaaaa","namespace_path":"aaaaa/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000006","client_type":"entity","namespace_id":"aaaaa","namespace_path":"aaaaa/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000007","client_type":"entity","namespace_id":"aaaaa","namespace_path":"aaaaa/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000008","client_type":"entity","namespace_id":"aaaaa","namespace_path":"aaaaa/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000009","client_type":"entity","namespace_id":"aaaaa","namespace_path":"aaaaa/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_2"}
{"client_id":"111122222-3333-4444-5555-000000000010","client_type":"entity","namespace_id":"bbbbb","namespace_path":"bbbbb/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000011","client_type":"entity","namespace_id":"bbbbb","namespace_path":"bbbbb/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000012","client_type":"entity","namespace_id":"bbbbb","namespace_path":"bbbbb/","timestamp":"1970-01-01T00:00:01Z","mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000013","client_type":"entity","namespace_id":"bbbbb","namespace_path":"bbbbb/","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000014","client_type":"entity","namespace_id":"bbbbb","namespace_path":"bbbbb/","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_3"}
{"client_id":"111122222-3333-4444-5555-000000000015","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000016","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000017","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000018","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_4"}
{"client_id":"111122222-3333-4444-5555-000000000019","client_type":"entity","namespace_id":"root","namespace_path":"","timestamp":"1970-01-01T00:00:02Z","mount_accessor":"auth_4"}
82 changes: 41 additions & 41 deletions vault/activity/test_fixtures/aug_oct.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,41 @@
client_id,namespace_id,timestamp,non_entity,mount_accessor
111122222-3333-4444-5555-000000000000,root,1,false,auth_1
111122222-3333-4444-5555-000000000001,root,1,false,auth_1
111122222-3333-4444-5555-000000000002,root,1,false,auth_1
111122222-3333-4444-5555-000000000003,root,1,false,auth_1
111122222-3333-4444-5555-000000000004,root,1,false,auth_1
111122222-3333-4444-5555-000000000005,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000006,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000007,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000008,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000009,aaaaa,1,false,auth_2
111122222-3333-4444-5555-000000000010,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000011,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000012,bbbbb,1,false,auth_3
111122222-3333-4444-5555-000000000013,bbbbb,2,false,auth_3
111122222-3333-4444-5555-000000000014,bbbbb,2,false,auth_3
111122222-3333-4444-5555-000000000015,root,2,false,auth_4
111122222-3333-4444-5555-000000000016,root,2,false,auth_4
111122222-3333-4444-5555-000000000017,root,2,false,auth_4
111122222-3333-4444-5555-000000000018,root,2,false,auth_4
111122222-3333-4444-5555-000000000019,root,2,false,auth_4
111122222-3333-4444-5555-000000000020,root,3,false,auth_5
111122222-3333-4444-5555-000000000021,root,3,false,auth_5
111122222-3333-4444-5555-000000000022,root,3,false,auth_5
111122222-3333-4444-5555-000000000023,root,3,false,auth_5
111122222-3333-4444-5555-000000000024,root,3,false,auth_5
111122222-3333-4444-5555-000000000025,ccccc,3,false,auth_6
111122222-3333-4444-5555-000000000026,ccccc,3,false,auth_6
111122222-3333-4444-5555-000000000027,ccccc,3,false,auth_6
111122222-3333-4444-5555-000000000028,ccccc,3,false,auth_6
111122222-3333-4444-5555-000000000029,ccccc,3,false,auth_6
111122222-3333-4444-5555-000000000030,root,4,false,auth_7
111122222-3333-4444-5555-000000000031,root,4,false,auth_7
111122222-3333-4444-5555-000000000032,root,4,false,auth_7
111122222-3333-4444-5555-000000000033,root,4,false,auth_7
111122222-3333-4444-5555-000000000034,root,4,false,auth_7
111122222-3333-4444-5555-000000000035,bbbbb,4,false,auth_8
111122222-3333-4444-5555-000000000036,bbbbb,4,false,auth_8
111122222-3333-4444-5555-000000000037,bbbbb,4,false,auth_8
111122222-3333-4444-5555-000000000038,bbbbb,4,false,auth_8
111122222-3333-4444-5555-000000000039,bbbbb,4,false,auth_8
client_id,client_type,namespace_id,namespace_path,mount_accessor,timestamp
111122222-3333-4444-5555-000000000000,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000001,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000002,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000003,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000004,entity,root,,auth_1,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000005,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000006,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000007,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000008,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000009,entity,aaaaa,aaaaa/,auth_2,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000010,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000011,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000012,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:01Z"
111122222-3333-4444-5555-000000000013,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000014,entity,bbbbb,bbbbb/,auth_3,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000015,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000016,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000017,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000018,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000019,entity,root,,auth_4,"1970-01-01T00:00:02Z"
111122222-3333-4444-5555-000000000020,entity,root,,auth_5,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000021,entity,root,,auth_5,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000022,entity,root,,auth_5,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000023,entity,root,,auth_5,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000024,entity,root,,auth_5,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000025,entity,ccccc,ccccc/,auth_6,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000026,entity,ccccc,ccccc/,auth_6,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000027,entity,ccccc,ccccc/,auth_6,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000028,entity,ccccc,ccccc/,auth_6,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000029,entity,ccccc,ccccc/,auth_6,"1970-01-01T00:00:03Z"
111122222-3333-4444-5555-000000000030,entity,root,,auth_7,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000031,entity,root,,auth_7,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000032,entity,root,,auth_7,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000033,entity,root,,auth_7,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000034,entity,root,,auth_7,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000035,entity,bbbbb,bbbbb/,auth_8,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000036,entity,bbbbb,bbbbb/,auth_8,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000037,entity,bbbbb,bbbbb/,auth_8,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000038,entity,bbbbb,bbbbb/,auth_8,"1970-01-01T00:00:04Z"
111122222-3333-4444-5555-000000000039,entity,bbbbb,bbbbb/,auth_8,"1970-01-01T00:00:04Z"
Loading
Loading