Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide stack logs from all users except Data.all admin users #1528

Open
TejasRGitHub opened this issue Sep 10, 2024 · 5 comments
Open

Hide stack logs from all users except Data.all admin users #1528

TejasRGitHub opened this issue Sep 10, 2024 · 5 comments
Labels
type: enhancement Feature enhacement

Comments

@TejasRGitHub
Copy link
Contributor

Is your idea related to a problem? Please describe.
Stack logs ( Environment, Dataset ) and also share logs are accessible to some users based on if they are owner, business owner, stewards group etc.

These stack logs help in debugging any issues for a data.all developer or an admin but for other users do not provide much info. Apart from that the stack logs also output roles and stack data which might contain sensitive / secret information.

Describe the solution you'd like
To better protect information about AWS accounts and roles, it is better to provide a config which lets data.all admins decide if they want data.all users to see these logs.

The configs allows data.all admins to only allow data.all admins to view the logs and no one else.

P.S. Don't attach files. Please, prefer add code snippets directly in the message body.
@TejasRGitHub
Copy link
Contributor Author

TejasRGitHub commented Sep 10, 2024
edited
Loading

This would be configurable with config like :

{
    "modules": {
        ........,
        "s3_datasets": {
            "active": true,
            "features": {
               ..... ,
                "show_logs" : false
            }
        },
        "s3_datasets_shares": {
            "active": true,
             "features": {
                 "show_logs" : false
             }
        },
       ,..
    },
    "core": {
        "features": {
            "env_aws_actions": false,
            .....,
            "show_logs" : false
        },
    }
}

@noah-paige
Copy link
Contributor

Hi @TejasRGitHub - currently in data.all DA Admins cannot see all data.all Envs, Dataasets, and other resources with IaC Stacks which the Admin team is not a part of and thus can not see the logs for these data.all resource stacks as well

For the above example when show_logs is set to false would this feature flag mean that non-Admin teams are no longer able to view logs only or would it also be additional changes to allow admins to not view data.all resources / logs from UI?

@noah-paige noah-paige added the type: enhancement Feature enhacement label Sep 10, 2024
@TejasRGitHub
Copy link
Contributor Author

Hi @noah-paige , in our usecase , our admin team is a part of all the teams present in data.all. What we want to achieve is to block non-admin user(s) / group(s) from viewing the logs on data.all UI

Thus, when show_logs : false would not show logs on UI to non-Admin users but it will still show logs to data.all admins

@noah-paige
Copy link
Contributor

@TejasRGitHub okay makes sense - to make it more generic I would have 3 options for enabled/disabled/admin-only

but the config change sounds good

@TejasRGitHub
Copy link
Contributor Author

That's even better. Thanks @noah-paige. Will make the changes accordingly

@TejasRGitHub TejasRGitHub mentioned this issue Sep 17, 2024
Merged
TejasRGitHub added a commit to TejasRGitHub/aws-dataall that referenced this issue Sep 24, 2024
@TejasRGitHub
Adding docs for data-dot-allGH-1528
8db1a1e
dlpzx pushed a commit that referenced this issue Sep 25, 2024
@TejasRGitHub
[Gh-1528] Configurable stack logs display (#1559)
075b43c 
### Feature or Bugfix
- Feature


### Detail

As described in this issue -
#1528 , stack logs provide
some key info.

Creating a feature config called `show_stack_logs` for s3_datasets,
s3_dataset_shares, and core ( for environment stack logs ) and adding
logic in frontend to hide/show the logs button.
Using decorator in backend to restrict access based on config.


### Relates
- #1528

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)? N/A
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization? N/A
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features? N/A
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users? N/A
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: trajopadhye <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement Feature enhacement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noah-paige @TejasRGitHub