Implement audit logging #27
Conversation
If the HTTP content is controlled by other team, we probably want to audit every HTTP responses, later. This patch allows us to log all HTTP requests and responses. Inspired by git, responses are gzipped and stored using their SHA1 as filenames.
|
Shouldn't this be more of a generic Hiera function rather than the job of an individual back end? |
|
No. As previously explained, remote HTTP(s) data (http backend) is controlled by "untrusted" team. Data from other backends are managed by a trusted team. Therefore only remote HTTP(s) responses should be audited. |
|
Im not sure that there are going to be many use cases to make this part of the HTTP back end - and it does seem like people wanting to audit lookups may wish to do so with a variety of backends - have you thought about putting this logic into it's own backend, a pseudo backend called 'audit' that always returns nill - you can then add options to hiera.yaml to define what gets audited - that would seem to solve your issue and also make the functionality available to all users of all backends. Thoughts? |
As with #24, if the HTTP content is controlled by other team, we probably want to log every HTTP responses, for being able to audit them later.
This patch add an option to log all HTTP requests and responses to a specified directory. Inspired by git, responses are gzipped and stored using their SHA1 as filenames. They can be easily handled with
zcat,zless,zgrep, etc.