Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements an audit logging system for identity lifecycle operations, including the creation of a new database table, repository, and service-level integration. The feedback focuses on ensuring the acting user's ID is consistently captured across all service methods (specifically within the agent service), standardizing audit timestamps to UTC, and expanding the logging logic to include failed operation attempts for a more comprehensive security trail.
darshana-v
changed the title
| CREATE INDEX IF NOT EXISTS idx_identity_audit_logs_tenant | ||
| ON identity_audit_logs (account_id, project_id); | ||
|
|
||
| CREATE INDEX IF NOT EXISTS idx_identity_audit_logs_identity |
There was a problem hiding this comment.
remove second and fourth indexes
|
The audit log should be generic and follow the same pattern we have in the admin service. Also, instead of passing callerUserID through every function signature, we should read it directly from the context using internalMiddleware.GetCallerName(ctx) at the point of writing the record in the database. Aren't we using triggers for writing to audit log table ? |
2 participants
Summary
Identity mutations (create/update/delete) previously had no audit trail. Operators had no way to answer "who registered this agent?" or "who changed its trust level and when?".
owner_user_idis a static ownership field on the identity, not a record of who performed a given operation.This PR adds an
identity_audit_logstable that records every mutation with the acting user's ID (from the X-User-ID header, set by TenantContextMiddleware), a timestamp, and before/after JSONB snapshots of the identity row.Type of change
Testing
Impact / Risks
📸 Screenshots / Logs (if applicable)