Audit log proposal II

[capaj]

just for review purposes.

If you prefer to read as markdown open here: https://github.com/capaj/graphql-hive/blob/audit-log-proposal-2/docs/proposals/proposal-audit-log.md

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6506183

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[kamilkisiela]

Suggested change

	TTL timestamp + INTERVAL 3 MONTH;
	TTL timestamp + INTERVAL 2 YEAR;

@dotansimha how long should we keep the audit logs for? Is there any requirement in SOC-2?

[capaj]

changed to 2 years. If it is too expensive we can always lower it

[kamilkisiela]

Suggested change

	event_action STRING NOT NULL,
	event_action LowCardinality(String) CODEC(ZSTD(1)),

[kamilkisiela]

you get my point

[kamilkisiela]

we do have our own clickhouse client (packages/services/api/src/modules/operations/providers/clickhouse-client.ts)

[kamilkisiela]

We need to be support all events in a backwards compatible manner, so I guess we will need something more strict than string for an event type and for the details, something to avoid "reading 'foo' of undefined" errors.

[capaj]

changed eventAction to be AuditLogEventAction.
That can be a generated enum from the GQL schema.

[kamilkisiela]

@capaj @n1ru4l you think we should store a full message here as well or dynamically produce it every time? It has pros and cons...

[n1ru4l]

hmmm, I am more in favor of computing the message from the data. The thought behind this is that we want to make parts of the message interactive (e.g. link to the organization or user etc. from the UI). But for export purposes also having a message within the table might make sense.

[capaj]

same opinion as @n1ru4l.
Also storing the message would be useless if we ever do i18n in the future. Rendering the message is trivial and we can share the code for it between FE/BE.

[kamilkisiela]

We can have both. If we store the message in clickhouse, we can export data from it in CSV format and ship it to S3, with no IO reading/writing/transforms, and still produce a message dynamically in React.

[kamilkisiela]

Imo we should store messages and use them for file exports (text and csv)

[capaj]

ok I will add the column for that

[kamilkisiela]

Every action that requires a user, has the user info cached already, so it won't be a problem. I will explain more once you will start implementing these in the codebase.

[kamilkisiela]

Yes, I think we should always await but also introduce a prometheus metric to measure how long it took to insert an event and for what action type.

[kamilkisiela]

Suggested change

	| SCHEMA_PUBLISH | User **[email protected]** published a new schema version for **Project Alpha**. |
	| SCHEMA_PUBLISHED | User **[email protected]** published a new schema version for **Project Alpha**. |

@n1ru4l do you think we should use past tense everywhere? SCHEMA_PUBLISHED vs PUBLISH_SCHEMA?

[capaj]

I renamed this for consistency with all the other ones

[kamilkisiela]

Suggested change

	organization_id: String
	organization_id: String!

I think we will always have organization_id

[capaj]

correct. We can always make it non nullable if we introduce event for something like user signup

[kamilkisiela]

Suggested change

	valid_until TIMESTAMP WITH TIME ZONE,
	expires_at TIMESTAMP WITH TIME ZONE,

maybe? But I like the idea of using S3+TTL and a column in PG to make sure we hide the export

[capaj]

renamed

[kamilkisiela]

If we want to include formatted messages in the CSV or TEXT output, we will have to go row by row and render it.
Maybe storing full messages in clickhouse is good option to avoid such scenario?

[capaj]

added it now to clickhouse table

[kamilkisiela]

I guess it would have to be a presigned url

[capaj]

yes writableStream is not defined, but it would be something like in this SO answer: https://stackoverflow.com/a/50291380/671457

[kamilkisiela]

I guess here, we will show a link to the file, right? And filters, to render the thing correctly?

[capaj]

Yes I think we want to give users ability to filter in exports too, not just in UI.
url is a field in the AuditLogFileExport, so FE can pick that when doing the mutation

[capaj]

I have made some changes based on your feedback @kamilkisiela.
I have clicked "resolve" for comments which were adressed.
Please ping me on anything that still seems unresolved from your POV.

[capaj]

what do you think @n1ru4l? I have only seen one comment from you. Do you reckon I could start implementing this feature based on this proposal?

[kamilkisiela]

I have made some changes based on your feedback @kamilkisiela. I have clicked "resolve" for comments which were adressed. Please ping me on anything that still seems unresolved from your POV.

All good. Next time you can message me on Slack, because I missed this comment and it's been a week.

[capaj]

Sorry, will do next time.
I was not idly waiting, I have a branch WIP where I have a few things already implemented.

So I will close this PR as it seems everything is addressed.
Will open a draft with implementation soonish-hopefully Thursday.

[n1ru4l]

lets stay consistent and use camel case

[capaj]

looking at migrations here:
https://github.com/kamilkisiela/graphql-hive/tree/d07cc6b1c2992227d13c79325927e7f6ebb857de/packages/migrations/src/clickhouse-actions

it seems we are using snake case for clickhouse tables.

[n1ru4l]

this could be AuditLogEventAction? 🤔

[capaj]

will change it

[n1ru4l]

lets make these non nullable

[n1ru4l]

schema publishes are not linked to an account, but access token, so we also need to cover that an action belongs to an access token, and make it possible to filter for actions done through an access token? 🤔

[capaj]

Set setting allow_experimental_object_type = 1 in order to allow it. (ILLEGAL_COLUMN) (version 24.4.3.25 (official build))"
}

actually if we want to use JSON, we would have to enable allow_experimental_object_type.
Do you want to enable that or change this to plain string @kamilkisiela ?
I would go with allow_experimental_object_type if it was up to me.

actually after reading up on it, they will replace it with something else. So let's use plain String for now ClickHouse/ClickHouse#54864