Auditing changes to key/value in etcd

[niraj8241]

All,

Well this is a feature request more than an issue. What i am looking here in etcd is to have a capability to track changes to key/values. So when i say track a change, i mean which user changed it last.

For eg:

User "X" changed a key/value and if admin/root wants to audit it down as who made that change.

I feel this useful when you have 1000+ servers managed by etcd. serving contents to all and if someone makes a change and breaks the fleet of entire servers. How can someone track this down?

It would be great to have such feature associated with etcd.

Regards
Niraj

[philips]

Do you want this data to be stored inside of etcd or would a proxy that logs this information be sufficient?

[niraj8241]

It would be great if it is within the etcd.

[xiang90]

@niraj8241 Any reason that it has to live inside etcd? Or what is the benefits you can see to put this inside etcd instead of a proxy? (we will probably build the proxy as part of the etcd project)

[niraj8241]

Well @xiang90 There is no specific reason for it. What i was thinking of is something like when you query the API it should display a field like lastmodifiedby. Well if it can be within the proxy , it would be fine.

[xiang90]

@niraj8241 OK. Now I understand your use case better. I could image to do this in proxy layer by adding another layer to store the last modification info into etcd itself again. We will think about this more once we start the proxy for v3. Thanks for the suggestion.

[akshaysuryawanshi]

@xiang90 Any updates on this feature ?

[akauppi]

@akshaysuryawanshi @niraj8241 I've collected requirements for the audit use case, recently, and have plans to implement it within this spring. It would tie etcd (v3), Typesafe config and streams (websockets) together. Kind of a proxy above etcd v3 (could be any other key/value store). I think the use case is easily a bit deeper than what @niraj8241 is asking, but would like to hear your needs. Reach me at [email protected] or twitter: @AskoKauppi ?

[raoofm]

👍

[abashev]

👍

[roffe]

@akauppi Any progress in this? =)

[akauppi]

@roffe You can reach me in the above mentioned contact - have you tried?

I only now realized the original request was about storing etcd change info itself. What I'm looking for, and it is progressing, is a general key/value store on top of etcd-v3 or similar that supports full audit trails, but also much more. It won't be the solution for @niraj8241 so I don't think more discussion here is in place about it.

[jpbetz]

cc @jpbetz, @wenjiaswe

[jingyih]

I am new to this thread, trying to catch up. Does #9990 fix this issue? When --debug flag is enabled, all incoming requests to etcd server will be logged. Logged information includes remote client IP and Port, which can be used to track who modified a certain key most recently.