-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to store IP-Addresses and/or user-agents details in audit logs #19725
base: main
Are you sure you want to change the base?
Add option to store IP-Addresses and/or user-agents details in audit logs #19725
Conversation
b724948
to
ab6a92c
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #19725 +/- ##
==========================================
- Coverage 67.56% 67.46% -0.10%
==========================================
Files 991 997 +6
Lines 109181 109959 +778
Branches 2719 2724 +5
==========================================
+ Hits 73768 74185 +417
- Misses 31449 31789 +340
- Partials 3964 3985 +21
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Strongly hope that this PR will be merged into 2.11.0!! This PR will close #18675, #16423, #5561 and goharbor/community#10 |
cc0498e
to
8bb1f82
Compare
Head branch was pushed to by a user without write access
fc6d5bd
to
d849179
Compare
Head branch was pushed to by a user without write access
e48fd1c
to
86e7be0
Compare
Head branch was pushed to by a user without write access
86e7be0
to
e8455c7
Compare
e8455c7
to
3b4d564
Compare
fix ui tests Signed-off-by: Maksym Trofimenko <[email protected]>
Signed-off-by: Maksym Trofimenko <[email protected]>
update translations Signed-off-by: Maksym Trofimenko <[email protected]>
3b4d564
to
eb5fc28
Compare
Hello Harbor team, we are looking forward for this feature. Could you please provide an update on the plans for it? Are there any blockers, or is it a work in progress? |
Hey harbor team, we need this feature)) |
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days. |
In terms of the client IP. I still have some concerns regarding the accuracy. Have you tested when the client is from a different network or behind a VPN? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting it to Request changes
to avoid it from being accidentally merged before we are aligned about the expectation and limitation.
@reasonerjt, this works as it should also be over VPN, It doesn't do any magic things. It also works together with different Ingress controllers (ingress nginx, AWS ALB, istio etc.) |
In my point, I agree we need record client ip to audit logs, but recorded it to database not a good idea. Maybe we need refactoring audit log system to storage mass data. |
forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)`) | ||
) | ||
|
||
func getIP(r *http.Request) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if client request through multi-level proxy server(e.g. client-->proxy 1-->proxy 2->harbor
), what's the function will return ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function returns output based on the HTTP headers present in the request:
- XFF (X-Forwarded-For): This here will return the first IP (usually* the client’s IP).
- X-Real-IP: This will return the IP as set by the last proxy. It could be either the client’s IP or the last proxy’s IP, depending on how the proxies are configured.
- Forwarded: This here will capture the first "for=" entry, which is usually* the client’s IP.
I’ve used "usually" because these values can be easily altered by proxies in the middle. To prevent this, we should have a way to define which proxies we trust. This issue has already been raised here .
Hope that answers your question.
This PR adds the option to log IP addresses and user agents in audit logs.
This new functionality is optional and can be enabled/disabled by the admin in the configuration.
related to goharbor/community#10
Issue being fixed
closes #18675, #16423, #5561
Please indicate you've done the following:
Screenshots: