VAULT-36565 CE changes (#30925)

vault/auth.go

@@ -19,6 +19,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/observations"
 	"github.com/hashicorp/vault/vault/plugincatalog"
 )
 
@@ -248,6 +249,18 @@ func (c *Core) enableCredentialInternal(ctx context.Context, entry *MountEntry,
 	if c.logger.IsInfo() {
 		c.logger.Info("enabled credential backend", "path", entry.Path, "type", entry.Type, "version", entry.RunningVersion)
 	}
+
+	err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountAuthEnable, ns, map[string]interface{}{
+		"path":        entry.Path,
+		"local_mount": entry.Local,
+		"type":        entry.Type,
+		"accessor":    entry.Accessor,
+		"version":     entry.RunningVersion,
+	})
+	if err != nil {
+		c.logger.Error("failed to record observation after enabling credential backend", "path", entry.Path, "error", err)
+	}
+
 	return nil
 }
 
@@ -380,6 +393,17 @@ func (c *Core) disableCredentialInternal(ctx context.Context, path string, updat
 		c.logger.Info("disabled credential backend", "path", path)
 	}
 
+	err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountAuthDisable, ns, map[string]interface{}{
+		"path":        path,
+		"local_mount": entry.Local,
+		"type":        entry.Type,
+		"accessor":    entry.Accessor,
+		"version":     entry.RunningVersion,
+	})
+	if err != nil {
+		c.logger.Error("failed to record observation after disabling auth backend", "path", path, "error", err)
+	}
+
 	return nil
 }
 

vault/mount.go

@@ -25,6 +25,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/observations"
 	"github.com/hashicorp/vault/vault/plugincatalog"
 	"github.com/mitchellh/copystructure"
 )
@@ -784,6 +785,18 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
 	if c.logger.IsInfo() {
 		c.logger.Info("successful mount", "namespace", entry.Namespace().Path, "path", entry.Path, "type", entry.Type, "version", entry.RunningVersion)
 	}
+
+	err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountSecretsEnable, ns, map[string]interface{}{
+		"path":        entry.Path,
+		"local_mount": entry.Local,
+		"type":        entry.Type,
+		"accessor":    entry.Accessor,
+		"version":     entry.RunningVersion,
+	})
+	if err != nil {
+		c.logger.Error("failed to record observation after enabling mount backend", "path", entry.Path, "error", err)
+	}
+
 	return nil
 }
 
@@ -967,6 +980,17 @@ func (c *Core) unmountInternal(ctx context.Context, path string, updateStorage b
 		c.logger.Info("successfully unmounted", "path", path, "namespace", ns.Path)
 	}
 
+	err = c.observations.RecordObservationToLedger(ctx, observations.ObservationTypeMountSecretsDisable, ns, map[string]interface{}{
+		"path":        entry.Path,
+		"local_mount": entry.Local,
+		"type":        entry.Type,
+		"accessor":    entry.Accessor,
+		"version":     entry.RunningVersion,
+	})
+	if err != nil {
+		c.logger.Error("failed to record observation after enabling mount backend", "path", entry.Path, "error", err)
+	}
+
 	return nil
 }
 

vault/observations/observations_consts.go

@@ -11,4 +11,8 @@ const (
 	ObservationTypeLeaseLazyRevoke      = "lease/lazy-revoke"
 	ObservationTypeLeaseRevocation      = "lease/revoke"
 	ObservationTypePolicyACLEvaluation  = "policy/acl/evaluation"
+	ObservationTypeMountAuthEnable      = "mount/auth/enable"
+	ObservationTypeMountAuthDisable     = "mount/auth/disable"
+	ObservationTypeMountSecretsEnable   = "mount/secrets/enable"
+	ObservationTypeMountSecretsDisable  = "mount/secrets/disable"
 )