Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1643

Investigate how to segregate infra logs visibility per user role

    XMLWordPrintable

    Details

    • Similar Issues:
    • Sprint:
      Evergreen - Milestone 1

      Description

      For Essentials, we are receiving logs from instances, and are going to also push those logs into the Jenkins Project infrastructure.

      Acceptance criteria:

      As a "selected" plugin developer:

      • I can read the logs sent by the Essentials instances running in the world.
      • I cannot see any other logs than the Essentials ones (i.e. I do not see logs from any service like jenkins.io, ldap or anything else running in the Jenkins K8S cluster)

      By "selected" above, we mean that not every plugin developers are going to be allowed to see those logs, for obvious security reasons.
      Ideally, there should be a dedicated LDAP group in the Jenkins LDAP to offer this access to some people.

      Technical discussion/points (as we just met with Olivier):

      Ideally, to avoid multiplying systems, we would push logs from Essentials Error Telemetry service to Azure Logs Analytics too.
      So, if we can give access to Logs Analytics, while still making visible only the logs that have for instance a "origin=evergreen" tag, that would be perfect. We would then just make sure to add this tag when pushing to the Azure Logs Analytics.

        Attachments

          Issue Links

            Activity

            Hide
            olblak Olivier Vernin added a comment -

            Even if it's not the easiest solution, I don't consider this as complicated.
            I plan to have a look to datadog apm, https://issues.jenkins-ci.org/browse/INFRA-1651 for the accountapp

            Show
            olblak Olivier Vernin added a comment - Even if it's not the easiest solution, I don't consider this as complicated. I plan to have a look to datadog apm, https://issues.jenkins-ci.org/browse/INFRA-1651 for the accountapp
            Hide
            batmat Baptiste Mathus added a comment -

            @Olivier I think not, thanks for investigating. Just created JENKINS-51735 to follow up on my side, as we proved using the existing Jenkins infra setup was not very easy, better try with Sentry or similar as discussed during the meeting. Thanks!

            Show
            batmat Baptiste Mathus added a comment - @Olivier I think not, thanks for investigating. Just created JENKINS-51735 to follow up on my side, as we proved using the existing Jenkins infra setup was not very easy, better try with Sentry or similar as discussed during the meeting. Thanks!
            Hide
            olblak Olivier Vernin added a comment -

            Baptiste Mathus Do you expect something else from this task?

            Show
            olblak Olivier Vernin added a comment - Baptiste Mathus Do you expect something else from this task?
            Hide
            olblak Olivier Vernin added a comment - - edited

            One solution would be to deploy a new loganalytics workspace restricted to evergreen developers.
            This would means:

            • Deploy a new terraform resource
            • Deploy a new fluentd instance on kubernetes like
            • In a first step we can add read only access to users with a microsoft account.

            Remark for fluentd, it should listen on a port instead of reading all kubernetes log files

            Show
            olblak Olivier Vernin added a comment - - edited One solution would be to deploy a new loganalytics workspace restricted to evergreen developers. This would means: Deploy a new terraform resource Deploy a new fluentd instance on kubernetes like In a first step we can add read only access to users with a microsoft account. Remark for fluentd, it should listen on a port instead of reading all kubernetes log files

              People

              Assignee:
              olblak Olivier Vernin
              Reporter:
              batmat Baptiste Mathus
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: