search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.84k stars 287 forks source link

add email & username to audit logs records #4158

Open dmitryroshchin opened 9 months ago

dmitryroshchin commented 9 months ago

Is your feature request related to a problem? Please describe. Audit log records of every system should help administrators to answer the following questions: Who did what and when? Boundary audit logs do provide this info, but there is no convenient way for analyzing it, because the only field in auth.userinfo record is id. 

    "auth": {
      "auth_token_id": "",
      "user_info": {
        "id": "u_Qifo7VLXaA",
     }

Some kind of additional lookups required of translate it to human readable form.

Describe the solution you'd like email and full_name fields should be added to auth.user_info audit records, like in the following example:

    "auth": {
      "auth_token_id": "",
      "user_info": {
        "id": "u_Qifo7VLXaA",
        "email": "user@examaple.com",
        "full_name": "example user" 
      }

Additional context We're using OIDC auth method. Here is the discussion of the issue https://discuss.hashicorp.com/t/email-and-username-in-audit-logs/60147

dmitryroshchin commented 9 months ago

calling @jimlambrt

anando-chatterjee commented 8 months ago

Hi @dmitryroshchin thanks for logging this feature request. As discussed in the other thread, Boundary's audit log does contain details of the user performing any authenticated actions - just not additional bits such as email etc. We don't have plans to implement this functionality in the near future since a viable workaround exists, however I will keep this request open in order for other community members to weigh in and provide their upvotes. Thank you!