This documentation was used during the planning phase. See also, newer documentation on the User Audit Log |
User auditing is auditing what users (or processes) do to the registry at a high level. e.g. Sue added a group on a certain day. It might not record that since that group was created, some privileges were created, the "base" type was associated with that group, etc.
We should have two tables. An audit table, and an audit meta data table. The audit table has user info, timestamp, audit_type, audit_action, etc, and 10 misc cols for various things. The metadata table describes what those 10 cols mean (e.g. for a group insert, col1 means group_uuid, col2 means group_name, etc) for a certain type and action (this table only has a few dozen rows). Then in the API we code in where the auditing occurs in variuos places. A loader job will delete audit information that is too old (not implemented yet). In the UI or WS we can query this information (probably by audit type and action), and a table of data with headers can be returned (headers are from metadata).
We also need a context_id on all tables, and in the user audit table, and PIT tables. In Java we will have an inverse of control which sets a threadlocal context id if it is not there. If there is a query without a context id, then it should throw an exception (since something is not coded completely). The code where the context is set, is probably where the user auditing should occur. Maybe only if the context id is new (not nested from somewhere else).
There is a view "grouper_audit_entry_v" which is the best DB resource for browsing audits, since it puts the category, action, and misc labels next to the audit entry record...
Audit type table holds (not all fields described here):
Audit entry table holds (not all fields described here):
All results in short form:
gsh 1% new UserAuditQuery().executeReport() Results 1 - 10 of 35 ordered by: lastUpdatedDb desc 2009-04-15 07:42:03.179 membership - addMembership ( 261ms, 18 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) (actAs: jdbc - test.subject.1 - description.test.subject.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-15 07:41:56.554 membership - deleteMembership ( 376ms, 11 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-15 07:26:10.495 membership - addMembership ( 532ms, 20 queries) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: null, host: AIT100229, user: mchyzer 2009-04-15 07:10:55.061 membership - addMembership ( 302ms, 13 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.5, field: members Server: grouperUI, host: AIT100229, user: mchyzer 2009-04-15 06:40:52.351 membership - addMembership ( 281ms, 13 queries) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.6, field: members Server: null, host: AIT100229, user: mchyzer 2009-04-15 06:26:45.965 groupType - addGroupType ( 33ms, 2 queries) Description: Added group type: requireActiveStudent Server: grouperShell, host: AIT100229, user: mchyzer 2009-04-15 06:26:45.902 groupField - addGroupField ( 346ms, 3 queries) Description: Added group field: requireActiveEmployee, id: 1dc48fed-b1ca-4099-a16c-f04375d6e145, type: attribute, groupType: requireInGroups Server: grouperShell, host: AIT100229, user: mchyzer 2009-04-15 06:24:52.760 membership - addMembership ( 67ms, 18 queries) Description: Added membership: group: aStem:activeEmployee, subject: jdbc.test.subject.1, field: members Server: grouperShell, host: AIT100229, user: mchyzer 2009-04-15 06:22:02.883 membership - addMembership ( 3856ms, 18 queries) Description: Added membership: group: aStem:activeEmployee, subject: jdbc.test.subject.0, field: members Server: grouperShell, host: AIT100229, user: mchyzer 2009-04-15 06:21:08.070 groupField - addGroupField ( 290ms, 2 queries) Description: Added group field: requireAlsoInGroups, id: 5f4bb1f3-117a-4008-bbbf-91c2697b58b8, type: attribute, groupType: requireInGroups Server: grouperShell, host: AIT100229, user: mchyzer |
All results in long form:
gsh 5% new UserAuditQuery().executeReportExtended(); Results 1 - 10 of 35 ordered by: lastUpdatedDb desc 2009-04-15 07:42:03.179 membership - addMembership ( 261ms, 18 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) (actAs: jdbc - test.subject.1 - description.te st.subject.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer Id: 1b9de977-d3d7-4832-b107-64fe89bac52a FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 7d0c3b88-733e-4bc7-8a44-84751503ebd1 MembershipType: immediate OwnerType: group OwnerId: 197d1379-ac1a-4c0f-a5d0-80254d128212 OwnerName: aStem:activeStudent 2009-04-15 07:41:56.554 membership - deleteMembership ( 376ms, 11 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer Id: 5eda0781-4d36-4f63-857d-22e099cde428 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 7d0c3b88-733e-4bc7-8a44-84751503ebd1 MembershipType: immediate OwnerType: group OwnerId: 197d1379-ac1a-4c0f-a5d0-80254d128212 OwnerName: aStem:activeStudent 2009-04-15 07:26:10.495 membership - addMembership ( 532ms, 20 queries) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: null, host: AIT100229, user: mchyzer Id: 5eda0781-4d36-4f63-857d-22e099cde428 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 7d0c3b88-733e-4bc7-8a44-84751503ebd1 MembershipType: immediate OwnerType: group OwnerId: 197d1379-ac1a-4c0f-a5d0-80254d128212 OwnerName: aStem:activeStudent 2009-04-15 07:10:55.061 membership - addMembership ( 302ms, 13 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.5, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: fc5019d7-95e3-4a58-8695-dba7216307b3 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 7caa1de6-41fd-4a25-8115-7cc0c896ac5c MembershipType: immediate OwnerType: group OwnerId: 197d1379-ac1a-4c0f-a5d0-80254d128212 OwnerName: aStem:activeStudent 2009-04-15 06:40:52.351 membership - addMembership ( 281ms, 13 queries) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.6, field: members Server: null, host: AIT100229, user: mchyzer Id: fd44d176-abc8-44a6-8fef-f22f397bf4a4 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 4296d1c8-a311-4e30-b429-887135132464 MembershipType: immediate OwnerType: group OwnerId: 197d1379-ac1a-4c0f-a5d0-80254d128212 OwnerName: aStem:activeStudent 2009-04-15 06:26:45.965 groupType - addGroupType ( 33ms, 2 queries) Description: Added group type: requireActiveStudent Server: grouperShell, host: AIT100229, user: mchyzer Id: 5acacc8b-c15b-4aab-b7a3-961d90d7c290 Name: requireActiveStudent 2009-04-15 06:26:45.902 groupField - addGroupField ( 346ms, 3 queries) Description: Added group field: requireActiveEmployee, id: 1dc48fed-b1ca-4099-a16c-f04375d6e145, type: attribut e, groupType: requireInGroups Server: grouperShell, host: AIT100229, user: mchyzer Id: 1dc48fed-b1ca-4099-a16c-f04375d6e145 Name: requireActiveEmployee GroupTypeId: a0d01b9b-1b1b-4791-863f-2fe42200f4b9 GroupTypeName: requireInGroups Type: attribute 2009-04-15 06:24:52.760 membership - addMembership ( 67ms, 18 queries) Description: Added membership: group: aStem:activeEmployee, subject: jdbc.test.subject.1, field: members Server: grouperShell, host: AIT100229, user: mchyzer Id: ffea4d28-1335-4d0c-ad37-987fbe0e9ca5 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: e5c1a993-ecf9-4d12-b561-a80b09738cd8 MembershipType: immediate OwnerType: group OwnerId: c99afbc4-9138-4d42-8ff9-dd77d2369262 OwnerName: aStem:activeEmployee 2009-04-15 06:22:02.883 membership - addMembership ( 3856ms, 18 queries) Description: Added membership: group: aStem:activeEmployee, subject: jdbc.test.subject.0, field: members Server: grouperShell, host: AIT100229, user: mchyzer Id: 1b16f549-7408-4035-bd8b-2fd5c7dd7af4 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: 154ca2b1-6306-48ac-be74-a10966ecb427 MembershipType: immediate OwnerType: group OwnerId: c99afbc4-9138-4d42-8ff9-dd77d2369262 OwnerName: aStem:activeEmployee 2009-04-15 06:21:08.070 groupField - addGroupField ( 290ms, 2 queries) Description: Added group field: requireAlsoInGroups, id: 5f4bb1f3-117a-4008-bbbf-91c2697b58b8, type: attribute, groupType: requireInGroups Server: grouperShell, host: AIT100229, user: mchyzer Id: 5f4bb1f3-117a-4008-bbbf-91c2697b58b8 Name: requireAlsoInGroups GroupTypeId: a0d01b9b-1b1b-4791-863f-2fe42200f4b9 GroupTypeName: requireInGroups Type: attribute |
Records by user mchyzer
gsh 10% grouperSession = GrouperSession.startRootSession(false); edu.internet2.middleware.grouper.GrouperSession: 35a9ab9f-c630-4671-8a33-18fd2f29477d,'GrouperSystem','application' gsh 11% subject = SubjectFinder.findByIdOrIdentifier("mchyzer", true); subject: id='10021368' type='person' source='pennperson' name='Chris Hyzer' gsh 12% member = MemberFinder.findBySubject(grouperSession,subject, true); member: id='10021368' type='person' source='pennperson' uuid='ad020c13-15d3-4386-9517-821b727155ea' gsh 13% new UserAuditQuery().loggedInMember(member).executeReport() Results 1 - 3 of 3 ordered by: lastUpdatedDb desc 2009-04-15 07:42:03.179 membership - addMembership ( 261ms, 18 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) (actAs: jdbc - test.subject.1 - description.test.subject.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-15 07:41:56.554 membership - deleteMembership ( 376ms, 11 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.7, field: members Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-15 07:10:55.061 membership - addMembership ( 302ms, 13 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: aStem:activeStudent, subject: jdbc.test.subject.5, field: members Server: grouperUI, host: AIT100229, user: mchyzer |
How developers add user auditing to their code:
HibernateSession.callbackHibernateSession( GrouperTransactionType.READ_WRITE_OR_USE_EXISTING, AuditControl.WILL_AUDIT, new HibernateHandler() { |
Here is a demo of user auditing (movie)
First, clear out database:
gsh -registry -reset |
Add a stem, and a type, and a group, and associate
gsh 0% typeAdd("testType"); type: 'testType' gsh 1% addRootStem("newStem", "new stem"); stem: name='newStem' displayName='new stem' uuid='82b8cd54-9a69-4754-b6da-649dc87670b6' gsh 2% addGroup("newStem", "aGroup", "a group"); group: name='newStem:aGroup' displayName='new stem:a group' uuid='913f36a9-c842-4fa1-911e-062a256028b2' gsh 3% groupAddType("newStem:aGroup", "testType"); true gsh 4% |
Assign a privilege with web services
C:\temp\client>java -jar grouperClient.jar --operation=assignGrouperPrivilegesLiteWs --groupName=newStem:aGroup --subjectIdentifier=mchyzer --privilegeName=admin --allowed=true Success: T: code: SUCCESS_ALLOWED: group: newStem:aGroup: subject: 10021368: access: admin |
Query the audits
gsh 10% new UserAuditQuery().loggedInMember(member).executeReport() Results 1 - 4 of 4 ordered by: lastUpdatedDb desc 2009-04-26 21:37:29.522 privilege - addPrivilege ( 597ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added privilege: group: newStem:aGroup, subject: pennperson.10021368, privilege: admin Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-26 21:28:49.284 membership - addMembership ( 78ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: newStem:aGroup, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer 2009-04-26 21:28:22.847 group - updateGroup ( 9ms, 1 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Updated group: newStem:aGroup, Fields changed: description.description: FROM: 'null', TO: 'some group' Server: grouperUI, host: AIT100229, user: mchyzer 2009-04-26 21:28:22.800 group - updateGroup ( 17ms, 1 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Updated group: newStem:aGroup, Fields changed: none Server: grouperUI, host: AIT100229, user: mchyzer gsh 11% new UserAuditQuery().executeReportExtended() Results 1 - 10 of 25 ordered by: lastUpdatedDb desc 2009-04-26 21:37:29.522 privilege - addPrivilege ( 597ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added privilege: group: newStem:aGroup, subject: pennperson.10021368, privilege: admin Server: grouperWS, host: AIT100229, user: mchyzer PrivilegeName: admin MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b PrivilegeType: access OwnerType: group OwnerId: 913f36a9-c842-4fa1-911e-062a256028b2 OwnerName: newStem:aGroup 2009-04-26 21:28:49.284 membership - addMembership ( 78ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: newStem:aGroup, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: 5c1db55a-7d3c-4010-869f-a7e013cac7b5 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b MembershipType: immediate OwnerType: group OwnerId: 913f36a9-c842-4fa1-911e-062a256028b2 OwnerName: newStem:aGroup 2009-04-26 21:28:22.847 group - updateGroup ( 9ms, 1 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Updated group: newStem:aGroup, Fields changed: description.description: FROM: 'null', TO: 'some group' Server: grouperUI, host: AIT100229, user: mchyzer Id: 913f36a9-c842-4fa1-911e-062a256028b2 Name: newStem:aGroup ParentStemId: 82b8cd54-9a69-4754-b6da-649dc87670b6 DisplayName: new stem:a group Description: some group 2009-04-26 21:28:22.800 group - updateGroup ( 17ms, 1 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Updated group: newStem:aGroup, Fields changed: none Server: grouperUI, host: AIT100229, user: mchyzer Id: 913f36a9-c842-4fa1-911e-062a256028b2 Name: newStem:aGroup ParentStemId: 82b8cd54-9a69-4754-b6da-649dc87670b6 DisplayName: new stem:a group 2009-04-26 21:27:44.206 membership - addMembership ( 53ms, 13 queries) Description: Added membership: group: penn:etc:webServiceClientUsers, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: 21e2bd30-3c09-4a20-98cb-133f33fa8e56 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b MembershipType: immediate OwnerType: group OwnerId: e7b8f0c4-a6f3-4259-8fe0-2c0b232a5602 OwnerName: penn:etc:webServiceClientUsers 2009-04-26 21:27:44.143 membership - addMembership ( 47ms, 13 queries) Description: Added membership: group: penn:etc:webServiceActAsGroup, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: aa146747-7856-4b8a-b854-70bd86b3c1b2 FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b MembershipType: immediate OwnerType: group OwnerId: ffd6c90b-3b39-49be-8393-4e79884cb8cd OwnerName: penn:etc:webServiceActAsGroup 2009-04-26 21:27:44.050 membership - addMembership ( 46ms, 13 queries) Description: Added membership: group: penn:etc:userInterfaceUsers, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: 0086d53a-5507-4bb4-8850-deda7118b6ce FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b MembershipType: immediate OwnerType: group OwnerId: 2e3f6b80-537b-4d2b-85d8-4e182c5d0c9e OwnerName: penn:etc:userInterfaceUsers 2009-04-26 21:27:43.987 membership - addMembership ( 276ms, 21 queries) Description: Added membership: group: penn:etc:sysAdminGroup, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer Id: b0981d60-d404-4ca7-90da-184fee9a57bb FieldId: f015c16f-a784-45e3-95aa-d6479a190e59 FieldName: members MemberId: d03585aa-b2e7-405a-b9bc-91f73413c60b MembershipType: immediate OwnerType: group OwnerId: 74190a41-7da3-48e0-a1a3-c5c4a26454fe OwnerName: penn:etc:sysAdminGroup 2009-04-26 21:22:00.672 groupTypeAssignment - assignGroupType ( 569ms, 7 queries) Description: Assigned group type: newStem:aGroup, typeId: f7cb86b1-dc75-45d7-ba37-8f7c809d30e2, to group: newStem:aGroup, groupId: 913f36a9-c842-4fa1-911e-062a256028b2 Server: grouperShell, host: AIT100229, user: mchyzer Id: 02db5bdb20e5260e0120e52a11510006 GroupId: 913f36a9-c842-4fa1-911e-062a256028b2 GroupName: newStem:aGroup TypeId: f7cb86b1-dc75-45d7-ba37-8f7c809d30e2 TypeName: testType 2009-04-26 21:21:16.922 group - addGroup ( 283ms, 22 queries) Description: Added group: newStem:aGroup Server: grouperShell, host: AIT100229, user: mchyzer Id: 913f36a9-c842-4fa1-911e-062a256028b2 Name: newStem:aGroup ParentStemId: 82b8cd54-9a69-4754-b6da-649dc87670b6 DisplayName: new stem:a group gsh 13% fromDate = edu.internet2.middleware.grouper.util.GrouperUtil.toTimestamp("2009/04/26 21:28:30"); java.sql.Timestamp: 2009-04-26 21:28:30.0 gsh 39% new UserAuditQuery().loggedInMember(member).setFromDate(fromDate).executeReport() Results 1 - 2 of 2 ordered by: lastUpdatedDb desc 2009-04-26 21:37:29.522 privilege - addPrivilege ( 597ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added privilege: group: newStem:aGroup, subject: pennperson.10021368, privilege: admin Server: grouperWS, host: AIT100229, user: mchyzer 2009-04-26 21:28:49.284 membership - addMembership ( 78ms, 14 queries) Logged in user: pennperson - 10021368 - Chris Hyzer (ip: 127.0.0.1) Description: Added membership: group: newStem:aGroup, subject: pennperson.10021368, field: members Server: grouperUI, host: AIT100229, user: mchyzer |