Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1643

Investigate how to segregate infra logs visibility per user role

    XMLWordPrintable

    Details

    • Similar Issues:
    • Sprint:
      Evergreen - Milestone 1

      Description

      For Essentials, we are receiving logs from instances, and are going to also push those logs into the Jenkins Project infrastructure.

      Acceptance criteria:

      As a "selected" plugin developer:

      • I can read the logs sent by the Essentials instances running in the world.
      • I cannot see any other logs than the Essentials ones (i.e. I do not see logs from any service like jenkins.io, ldap or anything else running in the Jenkins K8S cluster)

      By "selected" above, we mean that not every plugin developers are going to be allowed to see those logs, for obvious security reasons.
      Ideally, there should be a dedicated LDAP group in the Jenkins LDAP to offer this access to some people.

      Technical discussion/points (as we just met with Olivier):

      Ideally, to avoid multiplying systems, we would push logs from Essentials Error Telemetry service to Azure Logs Analytics too.
      So, if we can give access to Logs Analytics, while still making visible only the logs that have for instance a "origin=evergreen" tag, that would be perfect. We would then just make sure to add this tag when pushing to the Azure Logs Analytics.

        Attachments

          Issue Links

            Activity

            batmat Baptiste Mathus created issue -
            batmat Baptiste Mathus made changes -
            Field Original Value New Value
            Link This issue blocks JENKINS-51299 [ JENKINS-51299 ]
            batmat Baptiste Mathus made changes -
            Summary Investigate how to segregate infra logs visibililty per user role Investigate how to segregate infra logs visibility per user role
            Hide
            olblak Olivier Vernin added a comment - - edited

            One solution would be to deploy a new loganalytics workspace restricted to evergreen developers.
            This would means:

            • Deploy a new terraform resource
            • Deploy a new fluentd instance on kubernetes like
            • In a first step we can add read only access to users with a microsoft account.

            Remark for fluentd, it should listen on a port instead of reading all kubernetes log files

            Show
            olblak Olivier Vernin added a comment - - edited One solution would be to deploy a new loganalytics workspace restricted to evergreen developers. This would means: Deploy a new terraform resource Deploy a new fluentd instance on kubernetes like In a first step we can add read only access to users with a microsoft account. Remark for fluentd, it should listen on a port instead of reading all kubernetes log files
            olblak Olivier Vernin made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            olblak Olivier Vernin added a comment -

            Baptiste Mathus Do you expect something else from this task?

            Show
            olblak Olivier Vernin added a comment - Baptiste Mathus Do you expect something else from this task?
            batmat Baptiste Mathus made changes -
            Issue Type Task [ 3 ] Epic [ 10001 ]
            batmat Baptiste Mathus made changes -
            Issue Type Epic [ 10001 ] Task [ 3 ]
            Hide
            batmat Baptiste Mathus added a comment -

            @Olivier I think not, thanks for investigating. Just created JENKINS-51735 to follow up on my side, as we proved using the existing Jenkins infra setup was not very easy, better try with Sentry or similar as discussed during the meeting. Thanks!

            Show
            batmat Baptiste Mathus added a comment - @Olivier I think not, thanks for investigating. Just created JENKINS-51735 to follow up on my side, as we proved using the existing Jenkins infra setup was not very easy, better try with Sentry or similar as discussed during the meeting. Thanks!
            batmat Baptiste Mathus made changes -
            Resolution Done [ 10000 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            Hide
            olblak Olivier Vernin added a comment -

            Even if it's not the easiest solution, I don't consider this as complicated.
            I plan to have a look to datadog apm, https://issues.jenkins-ci.org/browse/INFRA-1651 for the accountapp

            Show
            olblak Olivier Vernin added a comment - Even if it's not the easiest solution, I don't consider this as complicated. I plan to have a look to datadog apm, https://issues.jenkins-ci.org/browse/INFRA-1651 for the accountapp
            batmat Baptiste Mathus made changes -
            Resolution Done [ 10000 ]
            Status Closed [ 6 ] Reopened [ 4 ]
            batmat Baptiste Mathus made changes -
            Labels essentials essentials-triggered evergreen evergreen-triggered
            batmat Baptiste Mathus made changes -
            Resolution Done [ 10000 ]
            Status Reopened [ 4 ] Closed [ 6 ]

              People

              Assignee:
              olblak Olivier Vernin
              Reporter:
              batmat Baptiste Mathus
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: