CMCDragonkai
commented
10 months ago Some important terminology to avoid being confused here.
- Log - a log is just a record of something happening - they could be operational logs, they could be debug level, they could be info level - they are done via js-logger, and we expect to print it to STDERR in real time without buffering, and that is supposed to be collected by an orchestrator for operational analytics. These do not need to represent a state change. Logs are useful to eventually form traces - which can be used to operational observability which is useful for debugging.
- Event - these are structured things that are supposed to be reacted to - we have programmatic events like js-events, which serve as the basis for #444 and the implementation of observables in the future. Usually these represent a state change, but not always.
- Metrics - these are statistical summarisations. The basic metrics are:
- Counter - a number that goes upwards
- Gauge - a number that could go up and down
- Other ones here: https://github.com/OpenObservability/OpenMetrics/blob/main/specification/OpenMetrics.md
Now there are 2 kinds of things we want to observe:
- Operational Observability
- User/Action Observability
For this issue, the audit domain is focused on User/Action Observability. Not operational observability.
In that sense, we would want to:
- Watch for Events Representing State Change
- Record them into DB - thus representing the events as a log
- The audit domain only reacts to events by recording them - it doesn't do anything logically
- The audit domain can update metrics as new events come into play.
As for operational logs/metrics. Again logs are not kept around, they go to STDERR. However metrics can be kept somewhere in a separate area. There is a discussion about this here: https://github.com/MatrixAI/js-logger/issues/15. It makes sense that something else should be maintaining state of operational observability, not the application itself. That way a focused system can specialise in operational observability. Usually this means something open-telemetry based. Things like memory usage is a good place to start.
One question is whether something is operational or not. Consider tracking node connections. Is this operational or is it a user/application event? It's hard to provide a clear distinction here. For a network monitoring app - it would be part of auditing. For this it is less so. I think though for the purposes of the the testnet and mainnet dashboard, this is something we will need to track in the audit domain.
tegefaulkes
amydevs
Specification
The
auditdomain of Polykey will be responsible for the auditing user-behaviour of Polykey nodes.It should expose
JS-RPCserver-streaming handlers that yield audit events, and can also provide summary metrics of those audit events.The subdomains of
auditshould be based on the domains of Polykey itself, and the audit domain should also contain Observable properties (see #444) derived from the events dispatched by each subdomain.The
JS-RPCAPI should be available viaJS-WS, so that it is accessible from the services like the mainnet/testnet status page (see #599).Furthermore, this
JS-RPCAPI should replay all accumulated state for each metric upon initial opening of the server-streaming call, so that if the any connected services were to restart, they would be able to get all the existing metric data, much like how the rxjs shareReplay funciton.Audit Events
Event Flow
Domain class instances will be injected dependencies into the Audit domain. This means that the other domains will be able to expose any data they want to record via Events without any semantics regarding the Audit domain. The Audit domain can listen to these events and record them in the database.
Database Schema
Using
js-db, there will be several level for theAuditdomain:audit/- The base Levelaudit/topic/{topicId}- Topics Levelaudit/events/{eventId}- Events leveleventIds will be made usingIdSortable, so that they are completely monotonic. Furthermore, events can be accessed by iterating over a topic level (audit/topic/{topicId}), which yields multipleeventIds. This will be used to reference the events stored in theaudit/events/{eventId}. By doing this, events are able to be apart of multiple topics as well.Topics can be nested meaning that querying topic path of
['node', 'connection']will return all audit events from their children (['node', 'connection', 'reverse']and['node', 'connection', 'forward'])API
The basic API will use an AsyncGenerator that yields events from a specified topic:
The options offer pagination, where the user can limit the number of audit events that the generator will yield and call the generator again with
seekset to the EventId of the last element that was yielded.The second API method yields events live as they are being dispatched:
The reason why the paramaters are different is because that the iteration of new events beyond what is currently stored within the DB cannot be in any order other than chronologically ascending. Furthermore, as this method requires for multiple db transaction snapshots, there is no point for the caller to pass in a transaction to perform on. Note that
generator.return()orgenerator.throw()must be called on the returnedAsyncGeneratorwhen eitherseekEndorlimitis not specified, as this call will run indefinitely until eitherthroworreturnis called,seekEndorlimitis reached, oraudit.stop({ force: true })is called.Metrics
Metrics will need to be specc'd out further. However, currently, metrics are indexed by a
MetricPathsimilar toAuditEvents. However, they are not stored in the DB, but rather derived from data within the DB.API
The basic API returns a metric based on a
topicPathand allows for the input ofseekandseekEndto specify a specific timeframe for the metric results. Metrics will have to be implemented on a case by case basis.Possibly Relevant Metrics
Some Specific Metrics Include:
Additional context
237
179 - an old issue about audit logging
Tasks
JS-RPC.