Hide stack logs from all users except Data.all admin users

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.

https://data-dot-all.github.io/dataall/

Apache License 2.0

233 stars 82 forks source link

Hide stack logs from all users except Data.all admin users #1528

Open TejasRGitHub opened 1 month ago

TejasRGitHub commented 1 month ago

Is your idea related to a problem? Please describe. Stack logs ( Environment, Dataset ) and also share logs are accessible to some users based on if they are owner, business owner, stewards group etc.

These stack logs help in debugging any issues for a data.all developer or an admin but for other users do not provide much info. Apart from that the stack logs also output roles and stack data which might contain sensitive / secret information.

Describe the solution you'd like To better protect information about AWS accounts and roles, it is better to provide a config which lets data.all admins decide if they want data.all users to see these logs.

The configs allows data.all admins to only allow data.all admins to view the logs and no one else.

P.S. Don't attach files. Please, prefer add code snippets directly in the message body.

TejasRGitHub commented 1 month ago

This would be configurable with config like :

{
    "modules": {
        ........,
        "s3_datasets": {
            "active": true,
            "features": {
               ..... ,
                "show_logs" : false
            }
        },
        "s3_datasets_shares": {
            "active": true,
             "features": {
                 "show_logs" : false
             }
        },
       ,..
    },
    "core": {
        "features": {
            "env_aws_actions": false,
            .....,
            "show_logs" : false
        },
    }
}

noah-paige commented 1 month ago

Hi @TejasRGitHub - currently in data.all DA Admins cannot see all data.all Envs, Dataasets, and other resources with IaC Stacks which the Admin team is not a part of and thus can not see the logs for these data.all resource stacks as well

For the above example when show_logs is set to false would this feature flag mean that non-Admin teams are no longer able to view logs only or would it also be additional changes to allow admins to not view data.all resources / logs from UI?

TejasRGitHub commented 1 month ago

Hi @noah-paige , in our usecase , our admin team is a part of all the teams present in data.all. What we want to achieve is to block non-admin user(s) / group(s) from viewing the logs on data.all UI

Thus, when show_logs : false would not show logs on UI to non-Admin users but it will still show logs to data.all admins

noah-paige commented 1 month ago

@TejasRGitHub okay makes sense - to make it more generic I would have 3 options for enabled/disabled/admin-only

but the config change sounds good

TejasRGitHub commented 1 month ago

That's even better. Thanks @noah-paige. Will make the changes accordingly