[MAGNOLIA-7459] Audit logging publish/unpublish actions with requestor user name Created: 27/Jul/18  Updated: 16/Apr/19  Resolved: 20/Feb/19

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.6, 5.7, 6.0
Fix Version/s: 5.6.9, 5.7.3, 6.1

Type: Bug Priority: Major
Reporter: Richard Gange Assignee: Adam Siska
Resolution: Fixed Votes: 2
Labels: None
Remaining Estimate: 0d
Time Spent: 0.5d
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by PUBLISHING-54 Audit logging publish/unpublish actio... Closed
causality
dependency
is depended upon by QAARQ-23 Improve activation logging entries Open
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Epic Link: Support
Sprint: Foundation 4, Foundation 5
Story Points: 3

 Description   

Audit logging configuration has stopped working since the introduction of the new publishing modules. See /server/auditLogging 
Also entries in the log but the username is always showing up as "superuser" even though we are logged in as someone else. This made the log not so informative.
Expected result:

  1. Update documentation and configuration accordingly to our new publishing support (should be publish and unpublish actions).
  2. Even though publishing must be done within System context, let's find a way to put more information into audit logging entries besides 'superuser' actor.


 Comments   
Comment by Viet Nguyen [ 05/Sep/18 ]

Added SUPPORT-9030 to the list.

Comment by Viet Nguyen [ 05/Sep/18 ]

Commented on our Audit logging documentation here
Also customers were right, with all audit logging with 'superuser' actor, the log is not so informative anymore.

Comment by Viet Nguyen [ 05/Sep/18 ]

Please also consider to update our bootstrap located in https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/resources/mgnl-bootstrap/core/config.server.auditLogging.xml

Comment by Thomas Duffey [ 05/Sep/18 ]

DefaultSender has access to Context which should have the userName attribute of who is activating. Can we update to use that?

Comment by Richard Gange [ 05/Sep/18 ]

I've asked about changing the prio on this. I went ahead and changed it to Major on the ticket. I'll let you know.

Comment by Thomas Duffey [ 05/Sep/18 ]

Thanks Rich and FYI there also appears to be a related bug in AuditLoggingUtil line 81 – timestamp should not be included in the data array. Including it causes both a formatted timestamp and the original long timestamp being included in the log message.

Comment by Viet Nguyen [ 06/Sep/18 ]

Thanks tduffey for below information, I just copy it here so that when fixing the issue we will not forget to fix this:
FYI there is also a bug in the audit log message for create, modify, delete and move in session:

    public static void log(String action, long timeStamp, String workspaceName, NodeType nodeType, String path, String pathTo) {
        AuditLoggingUtil.log(action, new String[]{String.valueOf(timeStamp), AuditLoggingUtil.getUser(), workspaceName, nodeType == null ? "" : nodeType.getName(), path, pathTo == null ? "" : pathTo});
    }

The above should not be including timestamp in the data array.

Comment by Bence Vass [ 20/Nov/18 ]

Please consider the following scenarios:

Publishing in dam/website with workflow - username has to be the name of the user who started the workflow, not superuser
Publishing without a workflow (other workspaces, or if you publish in website/dam without a workflow), but as an asynchronous action - same, at the moment the logged username is superuser

Comment by Viet Nguyen [ 28/Jan/19 ]

Then let's say we need to improve our Audit logging function so that it could log both the requester as you said is the user who started the workflow. Including the performer who actually has the permission to do it and allowed to run background process with access to system configuration such as 'superuser'. That one is the one who the task is actually delegated to.

Comment by Hieu Nguyen Duc [ 22/Feb/19 ]

Just a minor concern; after adding "publish" and "unpublish" nodes, should "activate" and "deactivate" be removed? They don't seem to have any effect at least in 5.6, 5.7 and 6.x.

Comment by Adam Siska [ 22/Feb/19 ]

According to this page https://documentation.magnolia-cms.com/display/DOCS60/Publishing+and+activation they should be still available.

Generated at Mon Feb 12 04:23:58 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.