User Addition/Removal data in the logs
Copied from AHA ticket: https://osdu-community.ideas.aha.io/ideas/IDEA-I-139.
When a new user is added / removed from a group in the Entitlements service, there is an entry in the logs which reads:
2024-05-07 11:38:31.484 INFO 7 --- [nio-8080-exec-8] o.o.o.c.c.l.DefaultLogWriter : #RequestLog Request(requestMethod=POST, latency=PT0.379S, requestUrl=https://dev.osdu.example.com/api/entitlements/v2/groups/users.datalake.group@osdu.shell.com/members, Status=200, ip=10.0.12.117) {correlation-id=1f452628-cffb-407d-a86b-xxxxxxxxxxx, data-partition-id=osdu}
When we increase the logging level to DEBUG, we can also see the payload of the message:
2024-05-07 11:23:28.340 DEBUG 7 --- [nio-8080-exec-7] o.s.w.s.DispatcherServlet : POST "/api/entitlements/v2/groups/users.datalake.group@osdu.example.com/members", parameters={} 2024-05-07 11:23:28.341 DEBUG 7 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.opengroup.osdu.entitlements.v2.api.AddMemberApi#addMember(AddMemberDto, String) 2024-05-07 11:23:28.389 DEBUG 7 --- [nio-8080-exec-7] m.m.a.RequestResponseBodyMethodProcessor : Read "application/json;charset=UTF-8" to [AddMemberDto(email=user.name@example.com, role=MEMBER)] 2024-05-07 11:23:28.556 INFO 7 --- [nio-8080-exec-7] o.o.o.c.c.l.DefaultLogWriter : entitlements.app: requested by serviceprincipal-dev@testing.com {correlation-id=267b1e47-2e2f-4474-8106-xxxxxxxxx, data-partition-id=osdu} 2024-05-07 11:23:28.732 DEBUG 7 --- [nio-8080-exec-7] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [/] and supported [application/json, application/*+json, application/json, application/*+json, application/cbor] 2024-05-07 11:23:28.732 DEBUG 7 --- [nio-8080-exec-7] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [AddMemberDto(email=user.name@example.com, role=MEMBER)] 2024-05-07 11:23:28.733 DEBUG 7 --- [nio-8080-exec-7] o.s.w.s.DispatcherServlet : Completed 200 OK
All the above data block is related to the same operation: Adding a user "user.name@example.com" to a group "users.datalake.group@osdu.example.com"
Having the username added to the payload of the addition (POST) message, would simplify user auditing and increase security as it would be easier to identify JML operations.
Also, the correlation_id generated for the operation does not seem to correlate the different steps for the single process (as it can be seen in the DEBUG output), nor can be used to trace user addition/removal, as the username being added is not in the output being logged.