Port: add client ID to TWEs in activity log [vault-3136] (#12820)

* port for tracking twes as clients * comment clean up * changelog * change changelog entry phrasing
hashicorp · Oct 14, 2021 · db58443 · db58443
1 parent fb7dd97
commit db58443
Show file tree

Hide file tree

Showing 15 changed files with 1,739 additions and 452 deletions.
diff --git a/changelog/12820.txt b/changelog/12820.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+Add ClientID to Token With Entities in Activity Log: Vault tokens without entities are now tracked with client IDs and deduplicated in the Activity Log
+```
diff --git a/command/operator_usage.go b/command/operator_usage.go
@@ -191,8 +191,11 @@ type UsageCommandNamespace struct {
 type UsageResponse struct {
 	namespacePath string
 	entityCount   int64
-	tokenCount    int64
-	clientCount   int64
+	// As per 1.9, the tokenCount field will contain the distinct non-entity
+	// token clients instead of each individual token.
+	tokenCount int64
+
+	clientCount int64
 }
 
 func jsonNumberOK(m map[string]interface{}, key string) (int64, bool) {

diff --git a/sdk/logical/request.go b/sdk/logical/request.go
@@ -214,6 +214,12 @@ type Request struct {
 	// in response headers; it's attached to the request rather than the response
 	// because not all requests yields non-nil responses.
 	responseState *WALState
+
+	// ClientID is the identity of the caller. If the token is associated with an
+	// entity, it will be the same as the EntityID . If the token has no entity,
+	// this will be the sha256(sorted policies + namespace) associated with the
+	// client token.
+	ClientID string
 }
 
 // Clone returns a deep copy of the request by using copystructure

diff --git a/vault/activity/activity_log.pb.go b/vault/activity/activity_log.pb.go
diff --git a/vault/activity/activity_log.proto b/vault/activity/activity_log.proto
@@ -4,31 +4,38 @@ option go_package = "github.com/hashicorp/vault/vault/activity";
 
 package activity;
 
-// EntityRecord is generated the first time an entity is active
-// each month.
+// EntityRecord is generated the first time an client is active
+ // each month. This can store clients associated with entities 
+ // or nonEntity clients, and really is a ClientRecord, not 
+ // specifically an EntityRecord
 message EntityRecord {
-	string entity_id = 1;
+	string client_id = 1;
 	string namespace_id = 2;
 	// using the Timestamp type would cost us an extra
 	// 4 bytes per record to store nanoseconds.
 	int64 timestamp = 3;
+	// non_entity records whether the given EntityRecord is
+ 	// for a TWE or an entity-bound token.
+ 	bool non_entity = 4;
 }
 
 message LogFragment {
 	// hostname (or node ID?) where the fragment originated,
 	// used for debugging.
 	string originating_node = 1;
 
-	// active entities not yet in a log segment
-	repeated EntityRecord entities = 2;
+	// active clients not yet in a log segment
+	repeated EntityRecord clients = 2;
 
 	// token counts not yet in a log segment,
 	// indexed by namespace ID
 	map<string,uint64> non_entity_tokens = 3;
 }
 
+// This activity log stores records for both clients with entities
+// and clients without entities
 message EntityActivityLog {
-	repeated EntityRecord entities = 1;
+	repeated EntityRecord clients = 1;
 }
 
 message TokenCount {