search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
17 stars 5 forks source link

Downstream PEPs/PDPs/Services registered to the platform should be able to trigger their own Audit events #1180

Open jakedoublev opened 1 month ago

jakedoublev commented 1 month ago

Background

If a downstream PEP is causing an event that should be tracked in audit, to my knowledge there is no way currently for them to trigger an audit event log. This should be supported via an extension to the current audit functionality to ensure audit events relevant to platform admins are adequately tracked even if they are not directly tied to the core of the platform.

Acceptance Criteria

  1. a solution is employed (probably via service registration) to give audit privilege to PEPs (configurable?)
  2. care is taken so that services cannot mutate audit logs of other services to prevent a malicious PEP from masking bad actions
strantalis commented 1 month ago

I think this is close. We pass in the logger which contains the audit extension but I think we just need either make the pkgs public or add a generic audit method downstream peps can leverage.

https://github.com/opentdf/platform/blob/58e04df68c92be0433eb5197aa641b5cc9732ff1/service/pkg/server/services.go#L155