From 27ba1f0cb4c3b819699aee03d23e83ddf53bb75d Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 17:39:02 -0400 Subject: [PATCH 01/13] tmp --- temporal/api/cloud/auditlog/v1/message.proto | 107 ++++++++++++++++++ .../cloudservice/v1/request_response.proto | 22 ++++ 2 files changed, 129 insertions(+) create mode 100644 temporal/api/cloud/auditlog/v1/message.proto diff --git a/temporal/api/cloud/auditlog/v1/message.proto b/temporal/api/cloud/auditlog/v1/message.proto new file mode 100644 index 0000000..3ea2dea --- /dev/null +++ b/temporal/api/cloud/auditlog/v1/message.proto @@ -0,0 +1,107 @@ +syntax = "proto3"; + +package temporal.api.cloud.auditlog.v1; + +option go_package = "go.temporal.io/api/cloud/auditlog/v1;auditlog"; +option java_package = "io.temporal.api.cloud.auditlog.v1"; +option java_multiple_files = true; +option java_outer_classname = "MessageProto"; +option ruby_package = "Temporalio::Api::Cloud::AuditLog::V1"; +option csharp_namespace = "Temporalio.Api.Cloud.AuditLog.V1"; + +import "google/protobuf/timestamp.proto"; + +// LogRecord represents an audit log entry from Temporal, structured for easy parsing and analysis. +message LogRecord { + // Time when the log was emitted from the source + google.protobuf.Timestamp emit_time = 1; + + // Level of the log, i.e. info, warn, error etc + LogLevel level = 2; + + // Operator email address + string user_email = 3; + + // Operator IP address or server name + string caller_ip_address = 4; + + // Operation performed + string operation = 5; + + // Detailed information about the operation. + OperationDetail details = 6; + + // Operation status from API call + string status = 7; + + // Admin or System + LogCategory category = 8; + + // Version of the log entry + int32 version = 9; + + // Unique ID for the log record. + string log_id = 10; +} + +// OperationDetails includes potential more detailed operation logs extracted from the different fields in the +// Temporal API logs or third party logs, e.g. auth0 +message OperationDetail { + // The namespace the operation was performed on + string namespace = 1; + + // The users the operation was performed on + repeated string target_users = 2; + + // Role information if any role is processed + repeated string roles = 3; + + // Fingerprints if client ca is included + repeated string client_ca_fingerprints = 4; + + // Search attributes if the search attributes were processed + SearchAttributeUpdate search_attribute_update = 5; + + // Additional message if there is any + string additional_message = 6; + + // Namespace's region if available + string region = 7; + + // If account features were updated i.e. external metrics, audit logging sink etc. + repeated string account_features = 8; + + // Third party log details eg: auth0 + ThirdPartyLogDetail third_party_details = 9; +} + +message SearchAttributeUpdate { + string existing_attribute = 1; + + string new_attribute = 2; +} + +message ThirdPartyLogDetail { + string id = 1; + + // the third party source, e.g. auth0 + string source = 2; + + // the raw log message from the third party app, e.g. the whole auth0 event log + string raw_message = 3; +} + +enum LogCategory { + LOG_CATEGORY_UNSPECIFIED = 0; + LOG_CATEGORY_ADMIN = 1; + LOG_CATEGORY_SYSTEM = 2; +} + +enum LogLevel { + LOG_LEVEL_UNSPECIFIED = 0; + LOG_LEVEL_INFO = 1; + LOG_LEVEL_DEBUG = 2; + LOG_LEVEL_WARN = 3; + LOG_LEVEL_ERROR = 4; + LOG_LEVEL_FATAL = 5; +} diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 176889d..1d0311f 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -9,6 +9,7 @@ option java_outer_classname = "RequestResponseProto"; option ruby_package = "Temporalio::Api::Cloud::CloudService::V1"; option csharp_namespace = "Temporalio.Api.Cloud.CloudService.V1"; +import "temporal/api/cloud/auditlog/v1/message.proto"; import "temporal/api/cloud/operation/v1/message.proto"; import "temporal/api/cloud/identity/v1/message.proto"; import "temporal/api/cloud/namespace/v1/message.proto"; @@ -525,3 +526,24 @@ message DeleteServiceAccountResponse { // The async operation. temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1; } + +message GetAuditLogsRequest { + // The requested size of the page to retrieve - optional. + // Cannot exceed 1000. Defaults to 100. + int32 page_size = 1; + // The page token if this is continuing from another response - optional. + string page_token = 2; + // Filter for logs inserted at a time >= this. + google.protobuf.Timestamp start_time_inclusive = 2; + // Filter for logs inserted at a time < this. - optional. + google.protobuf.Timestamp end_time_exclusive = 3; + // Filter logs by a user's email address - optional. + string user_email_substring = 4; +} + +message GetAuditLogsResponse { + // The list of audit logs ordered by inserted time, emit time, log_id + repeated temporal.api.cloud.auditlog.v1.LogRecord groups = 1; + // The next page's token. + string next_page_token = 2; +} \ No newline at end of file From 3ed8238ca4a8acfe4b4decab7934babfc0424fa9 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 17:42:05 -0400 Subject: [PATCH 02/13] oops --- temporal/api/cloud/cloudservice/v1/request_response.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 1d0311f..2e1f2d4 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -534,11 +534,11 @@ message GetAuditLogsRequest { // The page token if this is continuing from another response - optional. string page_token = 2; // Filter for logs inserted at a time >= this. - google.protobuf.Timestamp start_time_inclusive = 2; + google.protobuf.Timestamp start_time_inclusive = 3; // Filter for logs inserted at a time < this. - optional. - google.protobuf.Timestamp end_time_exclusive = 3; + google.protobuf.Timestamp end_time_exclusive = 4; // Filter logs by a user's email address - optional. - string user_email_substring = 4; + string user_email_substring = 5; } message GetAuditLogsResponse { From 0683b482d8de65e02746c7793ad6024f07ca3dee Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 17:53:53 -0400 Subject: [PATCH 03/13] import --- temporal/api/cloud/cloudservice/v1/request_response.proto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 2e1f2d4..dc9afdc 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -9,6 +9,8 @@ option java_outer_classname = "RequestResponseProto"; option ruby_package = "Temporalio::Api::Cloud::CloudService::V1"; option csharp_namespace = "Temporalio.Api.Cloud.CloudService.V1"; +import "google/protobuf/timestamp.proto"; + import "temporal/api/cloud/auditlog/v1/message.proto"; import "temporal/api/cloud/operation/v1/message.proto"; import "temporal/api/cloud/identity/v1/message.proto"; From 1ad8456b726390b938265bcbfa69cfc254a11cc9 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 17:56:42 -0400 Subject: [PATCH 04/13] nit name --- temporal/api/cloud/cloudservice/v1/request_response.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index dc9afdc..fa8d45d 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -545,7 +545,7 @@ message GetAuditLogsRequest { message GetAuditLogsResponse { // The list of audit logs ordered by inserted time, emit time, log_id - repeated temporal.api.cloud.auditlog.v1.LogRecord groups = 1; + repeated temporal.api.cloud.auditlog.v1.LogRecord logs = 1; // The next page's token. string next_page_token = 2; } \ No newline at end of file From 4efcc4d8d185da86cb130435472f0e64ac8a293d Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 18:33:48 -0400 Subject: [PATCH 05/13] comments --- temporal/api/cloud/auditlog/v1/message.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/temporal/api/cloud/auditlog/v1/message.proto b/temporal/api/cloud/auditlog/v1/message.proto index 3ea2dea..7f60cf1 100644 --- a/temporal/api/cloud/auditlog/v1/message.proto +++ b/temporal/api/cloud/auditlog/v1/message.proto @@ -50,10 +50,10 @@ message OperationDetail { // The namespace the operation was performed on string namespace = 1; - // The users the operation was performed on + // The email addresses of the users on whom the operation was performed repeated string target_users = 2; - // Role information if any role is processed + // Names of any roles processed repeated string roles = 3; // Fingerprints if client ca is included From 798b9861d2a38353902a729c8f693e3d3b091d66 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 18:36:12 -0400 Subject: [PATCH 06/13] comment --- temporal/api/cloud/auditlog/v1/message.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/temporal/api/cloud/auditlog/v1/message.proto b/temporal/api/cloud/auditlog/v1/message.proto index 7f60cf1..77cb2c5 100644 --- a/temporal/api/cloud/auditlog/v1/message.proto +++ b/temporal/api/cloud/auditlog/v1/message.proto @@ -59,7 +59,7 @@ message OperationDetail { // Fingerprints if client ca is included repeated string client_ca_fingerprints = 4; - // Search attributes if the search attributes were processed + // Details of a search attribute update SearchAttributeUpdate search_attribute_update = 5; // Additional message if there is any From 24052480558286b62ad6031c5e086551d1836354 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 18 Jul 2024 19:05:51 -0400 Subject: [PATCH 07/13] service --- temporal/api/cloud/cloudservice/v1/service.proto | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/temporal/api/cloud/cloudservice/v1/service.proto b/temporal/api/cloud/cloudservice/v1/service.proto index f37e673..df1ba44 100644 --- a/temporal/api/cloud/cloudservice/v1/service.proto +++ b/temporal/api/cloud/cloudservice/v1/service.proto @@ -260,4 +260,11 @@ service CloudService { delete: "/cloud/service-accounts/{service_account_id}", }; } + + // Get audit logs + rpc GetAuditLogs(GetAuditLogsRequest) returns (GetAuditLogsResponse) { + option (google.api.http) = { + get: "/cloud/audit-logs", + }; + } } From 0cfcbf70d17556c5fcce54123d06175f90951754 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Fri, 19 Jul 2024 11:51:30 -0400 Subject: [PATCH 08/13] operation --- temporal/api/cloud/cloudservice/v1/request_response.proto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index fa8d45d..7b99896 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -541,6 +541,8 @@ message GetAuditLogsRequest { google.protobuf.Timestamp end_time_exclusive = 4; // Filter logs by a user's email address - optional. string user_email_substring = 5; + // Filter logs by the operation - optional. + string operation = 6; } message GetAuditLogsResponse { From 0e1e7fd2ceda92f2f289263c26e3670e30cb7361 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Fri, 19 Jul 2024 13:14:14 -0400 Subject: [PATCH 09/13] req --- temporal/api/cloud/cloudservice/v1/request_response.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 7b99896..0a564db 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -535,7 +535,7 @@ message GetAuditLogsRequest { int32 page_size = 1; // The page token if this is continuing from another response - optional. string page_token = 2; - // Filter for logs inserted at a time >= this. + // Filter for logs inserted at a time >= this. - required. google.protobuf.Timestamp start_time_inclusive = 3; // Filter for logs inserted at a time < this. - optional. google.protobuf.Timestamp end_time_exclusive = 4; From f8b9201fff007b917d3c06e757cd38bc796f4f24 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Sun, 21 Jul 2024 22:30:17 -0400 Subject: [PATCH 10/13] updates --- temporal/api/cloud/auditlog/v1/message.proto | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/temporal/api/cloud/auditlog/v1/message.proto b/temporal/api/cloud/auditlog/v1/message.proto index 77cb2c5..9925bbd 100644 --- a/temporal/api/cloud/auditlog/v1/message.proto +++ b/temporal/api/cloud/auditlog/v1/message.proto @@ -13,13 +13,13 @@ import "google/protobuf/timestamp.proto"; // LogRecord represents an audit log entry from Temporal, structured for easy parsing and analysis. message LogRecord { - // Time when the log was emitted from the source + // Time when the log was emitted from the source google.protobuf.Timestamp emit_time = 1; // Level of the log, i.e. info, warn, error etc LogLevel level = 2; - // Operator email address + // Operator email address - optional string user_email = 3; // Operator IP address or server name @@ -37,7 +37,7 @@ message LogRecord { // Admin or System LogCategory category = 8; - // Version of the log entry + // Specifies the version of the log entry to distinguish between different systems on the server side. int32 version = 9; // Unique ID for the log record. @@ -47,31 +47,31 @@ message LogRecord { // OperationDetails includes potential more detailed operation logs extracted from the different fields in the // Temporal API logs or third party logs, e.g. auth0 message OperationDetail { - // The namespace the operation was performed on + // The namespace the operation was performed on - optional string namespace = 1; - // The email addresses of the users on whom the operation was performed + // The email addresses of the users on whom the operation was performed - optional repeated string target_users = 2; - // Names of any roles processed + // Names of any roles/accesses assigned to identities that were processed in this request - optional repeated string roles = 3; - // Fingerprints if client ca is included + // Fingerprints if client ca is included - optional repeated string client_ca_fingerprints = 4; - // Details of a search attribute update + // Details of a search attribute update - optional SearchAttributeUpdate search_attribute_update = 5; - // Additional message if there is any + // Additional relevant message - optional string additional_message = 6; - // Namespace's region if available + // Namespace's region - optional string region = 7; - // If account features were updated i.e. external metrics, audit logging sink etc. + // If account features were updated i.e. external metrics, audit logging sink etc. - optional repeated string account_features = 8; - // Third party log details eg: auth0 + // Third party log details eg: auth0 - optional ThirdPartyLogDetail third_party_details = 9; } From d4d004b188138543fbe18e6c99a8c04e0712f944 Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Sun, 21 Jul 2024 23:06:13 -0400 Subject: [PATCH 11/13] UTC note --- temporal/api/cloud/cloudservice/v1/request_response.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 0a564db..48fc781 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -535,9 +535,9 @@ message GetAuditLogsRequest { int32 page_size = 1; // The page token if this is continuing from another response - optional. string page_token = 2; - // Filter for logs inserted at a time >= this. - required. + // Filter for logs inserted at a UTC time >= this. - required. google.protobuf.Timestamp start_time_inclusive = 3; - // Filter for logs inserted at a time < this. - optional. + // Filter for logs inserted at a UTC time < this. - optional. google.protobuf.Timestamp end_time_exclusive = 4; // Filter logs by a user's email address - optional. string user_email_substring = 5; From 3d74d6a87b36d9243079df01cba6d21e27a97e19 Mon Sep 17 00:00:00 2001 From: beardo Date: Tue, 13 Aug 2024 12:33:09 -0600 Subject: [PATCH 12/13] feat: add owner and finance admin roles CLD-3326 (#39) --- temporal/api/cloud/identity/v1/message.proto | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/temporal/api/cloud/identity/v1/message.proto b/temporal/api/cloud/identity/v1/message.proto index 7db0cae..0ede1d8 100644 --- a/temporal/api/cloud/identity/v1/message.proto +++ b/temporal/api/cloud/identity/v1/message.proto @@ -12,9 +12,11 @@ option csharp_namespace = "Temporalio.Api.Cloud.Identity.V1"; import "google/protobuf/timestamp.proto"; message AccountAccess { - // The role on the account, should be one of [admin, developer, read] + // The role on the account, should be one of [owner, admin, developer, financeadmin, read] + // owner - gives full access to the account, including users, namespaces, and billing // admin - gives full access the account, including users and namespaces // developer - gives access to create namespaces on the account + // financeadmin - gives read only access and write access for billing // read - gives read only access to the account string role = 1; } From 55fe2427fdd6b73a71bc97943bcf440e3ae60aad Mon Sep 17 00:00:00 2001 From: shivam-ajmera Date: Thu, 15 Aug 2024 12:58:28 -0400 Subject: [PATCH 13/13] update --- temporal/api/cloud/cloudservice/v1/request_response.proto | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto index 48fc781..edf705e 100644 --- a/temporal/api/cloud/cloudservice/v1/request_response.proto +++ b/temporal/api/cloud/cloudservice/v1/request_response.proto @@ -535,14 +535,10 @@ message GetAuditLogsRequest { int32 page_size = 1; // The page token if this is continuing from another response - optional. string page_token = 2; - // Filter for logs inserted at a UTC time >= this. - required. + // Filter for UTC time >= (defaults to 30 days ago) - optional. google.protobuf.Timestamp start_time_inclusive = 3; - // Filter for logs inserted at a UTC time < this. - optional. + // Filter for UTC time < (defaults to current time) - optional. google.protobuf.Timestamp end_time_exclusive = 4; - // Filter logs by a user's email address - optional. - string user_email_substring = 5; - // Filter logs by the operation - optional. - string operation = 6; } message GetAuditLogsResponse {