-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AIP-81 Implement Log Insert Endpoint to REST API (FastAPI) #45304
Comments
Hi @bugraoz93, If I may suggest, this could also be achieved by using a command-line-specific What do you think? |
What would this log from the CLI code that shouldn't already be logged by the REST API itself? |
@jason810496 It makes sense. There is one small thing here, we should identify when the event originates from cli_ and log the full_command. One way to achieve this is by using headers in the API, though this would result in a custom implementation specific to the CLI on the API side. |
We are passing the event as a Line 117 in a2c5a48
airflow/airflow/utils/cli_action_loggers.py Lines 118 to 160 in 52ed7d7
|
Thanks. Perhaps this is a solved problem, but I can't think of a way to guarantee we know if a client is CLI or something else if a malicious actor is involved. I would think they could do the OAuth dance in the CLI way or the WebUI way and get a different audience unless a particular account was locked to only one type or the other. Still, it would be a known, though likely compromised, account that accessed the API..... In this case knowing the IP address the request reached the outermost load balancer is probably as much as we can rely on. Possibly my knowledge is out of date here. For a non-malicious actor, knowing the exact CLI command might help to research why something was changed a particular way. I suppose the question is: is there is enough value to knowing the exact CLI command in addition to the REST API request parameters and body to be worth adding the special case? Beyond that, knowing the audience (and knowing not to depend on it) might be as much as is worth implementing. I'm wishy-washy on the value of this. I hope my ramblings are useful :) |
I was giving an example of why we should maintain the behaviour and explaining why this feature is needed in case the current behaviours persist. Keeping an additional audit log is always valuable when it comes to security. I think every idea is useful here, as it brings another perspective to the table. Thanks! :) |
All CLI actions will eventually go through the API and the API is responsible for login any user action already with the I assume that API authentication when calling from the CLI has specific permissions etc... and that it is authenticated through a dedicated role / has a specific token / something identifiable from the API to know that this is a call that is coming from the CLI. Because for instance some endpoints are only accessible from the CLI (specific permissions etc...). Thus I think the API should be able to log properly the actions and the I think this comes down to:
|
Many thanks for your perspective on this! I have very high-level answers at the moment which may not be enough to make decisions. The answers to these questions will enlighten multiple parts of this project. I will answer them in a detailed way very soon to be brought up into discussion. So that we won't do any duplicate or overlapping work |
Description
We should be able to insert Log (
from airflow.models.log import Log
) similar to here,airflow/airflow/utils/cli_action_loggers.py
Line 106 in 52ed7d7
This will enable us to use the logging feature without relying on the session.
Use case/motivation
To provide the same functionality for the CLI with API integration.
AIP-81
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: