Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance audit log (draft) #253

Open
wants to merge 35 commits into
base: main
Choose a base branch
from

Conversation

stonezdj
Copy link
Contributor

No description provided.

@Vad1mo
Copy link
Member

Vad1mo commented Nov 28, 2024

This proposal not only introduces a new auditlogo but also add much more events.

  • The volume of transactions that the new system can cause in a high pull/push environments. One crucial part of the enhanced auditlog should be the decoupling of event producer action and event writing. In other words, an artifact pull/push should not be affects by the eventlog.

  • The Database is currently the bottelneck of Harbor, especially on large installations, with many artifacts, polcies, voulnerability data. Reducing the pressure on the Database should be priority in the new auditlogs. Adding Redis here will not improve the situation, unless we use/implement a Write-Back Caching strategy.

I suggest also making the auditlog plugable, meaning that in the future it would be possible to add other types of backends apart from postgres, like opentelemtry or loki..


I am looking into few options and Unlogged tables directly or in combination with stored procedures can provide a huge improvement in write performance.

Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
@stonezdj stonezdj changed the title Enhance audit log Enhance audit log (draft) Dec 3, 2024
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
@stonezdj
Copy link
Contributor Author

This proposal not only introduces a new auditlogo but also add much more events.

  • The volume of transactions that the new system can cause in a high pull/push environments. One crucial part of the enhanced auditlog should be the decoupling of event producer action and event writing. In other words, an artifact pull/push should not be affects by the eventlog.
  • The Database is currently the bottelneck of Harbor, especially on large installations, with many artifacts, polcies, voulnerability data. Reducing the pressure on the Database should be priority in the new auditlogs. Adding Redis here will not improve the situation, unless we use/implement a Write-Back Caching strategy.

I suggest also making the auditlog plugable, meaning that in the future it would be possible to add other types of backends apart from postgres, like opentelemtry or loki..

I am looking into few options and Unlogged tables directly or in combination with stored procedures can provide a huge improvement in write performance.

Previous audit log has the log forward option, it can avoid log in the database
Screenshot 2024-12-11 at 16 39 55

@Vad1mo
Copy link
Member

Vad1mo commented Dec 11, 2024

Previous audit log has the log forward option, it can avoid log in the database

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

@stonezdj
Copy link
Contributor Author

Previous audit log has the log forward option, it can avoid log in the database

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

When you configured forward log to LogInsight or ELK, you should search the audit log in the ELK's query interface.

Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
@reasonerjt
Copy link
Contributor

The problem with the existing approach is that when this is enabled. Audit logs aren't displayed in Harbor anymore. All events are forwarded to syslog.

What I had in mind was had the option to implement a different storage backend instead of the postgres.

@Vad1mo This is essentially a query module in Harbor that works with different backends.
The requirement to provide a pluggable query module in Harbor for audit logs should be tracked separately.
And as Stone has suggested, when the user chooses to store Harbor's audit logs to a 3rd party system, normally he will query the information from the 3rd party system instead from Harbor.

proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Show resolved Hide resolved
proposals/new/enhance_audit_log.md Show resolved Hide resolved
proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Show resolved Hide resolved
proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Outdated Show resolved Hide resolved
proposals/new/enhance_audit_log.md Show resolved Hide resolved
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Signed-off-by: stonezdj <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants