Skip to content

Enhance audit log #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stonezdj merged 1 commit into from
Feb 18, 2025
Merged

Enhance audit log #253

stonezdj merged 1 commit into from
Feb 18, 2025

Conversation

@stonezdj
Copy link
Contributor

@stonezdj stonezdj commented Nov 28, 2024

No description provided.

@stonezdj stonezdj requested review from a team as code owners November 28, 2024 02:18
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
reasonerjt
reasonerjt reviewed Nov 28, 2024
View reviewed changes
@Vad1mo
Copy link
Member

Vad1mo commented Nov 28, 2024
edited
Loading

This proposal not only introduces a new auditlogo but also add much more events.

  • The volume of transactions that the new system can cause in a high pull/push environments. One crucial part of the enhanced auditlog should be the decoupling of event producer action and event writing. In other words, an artifact pull/push should not be affects by the eventlog.

  • The Database is currently the bottelneck of Harbor, especially on large installations, with many artifacts, polcies, voulnerability data. Reducing the pressure on the Database should be priority in the new auditlogs. Adding Redis here will not improve the situation, unless we use/implement a Write-Back Caching strategy.

I suggest also making the auditlog plugable, meaning that in the future it would be possible to add other types of backends apart from postgres, like opentelemtry or loki..

I am looking into few options and Unlogged tables directly or in combination with stored procedures can provide a huge improvement in write performance.

wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Nov 28, 2024
View reviewed changes
@stonezdj stonezdj changed the title Enhance audit log Enhance audit log (draft) Dec 3, 2024
@stonezdj
Copy link
Contributor Author

stonezdj commented Dec 11, 2024

This proposal not only introduces a new auditlogo but also add much more events.

  • The volume of transactions that the new system can cause in a high pull/push environments. One crucial part of the enhanced auditlog should be the decoupling of event producer action and event writing. In other words, an artifact pull/push should not be affects by the eventlog.
  • The Database is currently the bottelneck of Harbor, especially on large installations, with many artifacts, polcies, voulnerability data. Reducing the pressure on the Database should be priority in the new auditlogs. Adding Redis here will not improve the situation, unless we use/implement a Write-Back Caching strategy.

I suggest also making the auditlog plugable, meaning that in the future it would be possible to add other types of backends apart from postgres, like opentelemtry or loki..

I am looking into few options and Unlogged tables directly or in combination with stored procedures can provide a huge improvement in write performance.

Previous audit log has the log forward option, it can avoid log in the database
Screenshot 2024-12-11 at 16 39 55

@Vad1mo
Copy link
Member

Vad1mo commented Dec 11, 2024

Previous audit log has the log forward option, it can avoid log in the database

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

wy65701436
wy65701436 reviewed Dec 11, 2024
View reviewed changes
@stonezdj
Copy link
Contributor Author

stonezdj commented Dec 12, 2024

Previous audit log has the log forward option, it can avoid log in the database

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

When you configured forward log to LogInsight or ELK, you should search the audit log in the ELK's query interface.

@reasonerjt
Copy link
Contributor

reasonerjt commented Dec 16, 2024

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

@Vad1mo This is essentially a query module in Harbor that works with different backends.
The requirement to provide a pluggable query module in Harbor for audit logs should be tracked separately.
And as Stone has suggested, when the user chooses to store Harbor's audit logs to a 3rd party system, normally he will query the information from the 3rd party system instead from Harbor.

reasonerjt
reasonerjt reviewed Dec 17, 2024
View reviewed changes
wy65701436
wy65701436 reviewed Dec 30, 2024
View reviewed changes
wy65701436
wy65701436 approved these changes Dec 30, 2024
View reviewed changes
Copy link
Contributor

@wy65701436 wy65701436 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

reasonerjt
reasonerjt reviewed Dec 31, 2024
View reviewed changes
@stonezdj stonezdj changed the title Enhance audit log (draft) Enhance audit log Jan 8, 2025
Vad1mo
Vad1mo previously requested changes Jan 9, 2025
View reviewed changes
@stonezdj
Copy link
Contributor Author

stonezdj commented Jan 14, 2025
edited
Loading

Previous audit log has the log forward option, it can avoid log in the database

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

Replace postgres is a big task, we are focusing on urgent requirements, have no bandwidth to handle so far.

@stonezdj stonezdj requested a review from Vad1mo January 23, 2025 02:44
@stonezdj stonezdj dismissed Vad1mo’s stale review February 17, 2025 09:37

merge proposal

@stonezdj stonezdj requested a review from chlins February 17, 2025 09:38
chlins
chlins approved these changes Feb 17, 2025
View reviewed changes
Copy link
Member

@chlins chlins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@stonezdj
Enhance audit log
e9e7498 
Signed-off-by: stonezdj <[email protected]>
@stonezdj stonezdj merged commit 57c51e5 into goharbor:main Feb 18, 2025
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reasonerjt reasonerjt reasonerjt approved these changes

@wy65701436 wy65701436 wy65701436 approved these changes

@chlins chlins chlins approved these changes

@Vad1mo Vad1mo Awaiting requested review from Vad1mo

Assignees

@Vad1mo Vad1mo

@chlins chlins

@MinerYang MinerYang

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@stonezdj @Vad1mo @reasonerjt @wy65701436 @chlins @MinerYang