public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-19 19:35:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs for UserId in Audit log enhancement

Browse Source
This commit is contained in:
Prachi Damle
2021-08-30 10:29:46 -07:00
parent 98160cc271
commit 32adb680c2
2 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.6/en/troubleshooting/_index.md
+3
View File
@@ -36,3 +36,6 @@ This section contains information to help you troubleshoot issues when using Ran
Read more about what log levels can be configured and how to configure a log level.
- [User ID Tracking in Audit Logs]({{<baseurl>}}/rancher/v2.6/en/troubleshooting/userid-tracking-in-audit-logs/)
Read more about how a Rancher Admin can trace an event from the Rancher audit logs and into the Kubernetes audit logs using the external Identity Provider username.
content/rancher/v2.6/en/troubleshooting/userid-tracking-in-audit-logs/_index.md
+23
View File
@@ -0,0 +1,23 @@
---
title: User ID Tracking in Audit Logs
weight: 110
---
The following audit logs are used in Rancher to track events occuring on the local and downstream clusters:
* [Kubernetes Audit Logs]({{<baseurl>}}/rke/latest/en/config-options/audit-log/)
* [Rancher API Audit Logs]({{<baseurl>}}/rancher/v2.6/en/installation/resources/advanced/api-audit-log/)
Audit logs in Rancher v2.6 have been enhanced to include the external Identity Provider name (common name of the user in the external Auth provider) in both the Rancher and downstream Kubernetes audit logs.
Before v2.6, a Rancher Admin could not trace an event from the Rancher audit logs and into the Kubernetes audit logs without knowing the mapping of the external Identity Provider username to the userId (`u-xXXX`) used in Rancher.
To know this mapping, the cluster admins needed to have access to Rancher API, UI, and the local management cluster.
Now with this feature, a downstream cluster admin should be able to look at the Kubernetes audit logs and know which specific external Identity Provider (IDP) user performed an action without needing to view anything in Rancher.
If the audit logs are shipped off of the cluster, a user of the logging system should be able to identify the user in the external Identity Provider system.
A Rancher Admin should now be able to view Rancher audit logs and follow through to the Kubernetes audit log by using the external Identity Provider username.
### Feature Description
- When Kubernetes Audit logs are enabled on the downstream cluster, in each event that is logged, the external Identity Provider's username is now logged for each request, at the "metadata" level.
- When Rancher API Audit logs are enabled on the rancher installation, the external Identity Provider's username is also logged now at the "auditLog.level=1" for each request that hits the Rancher API server, including the login requests.