Modification audit logging and using zc.beforestorage to time travel. From #ploneconf2016 presentation, this is an idea for supporting a new kind of Undo in Plone 5.x.

1. A novel approach to undo
Modification audit logging and using
zc.beforestorage to time travel.
Sean Upton / UPIQ
#ploneconf2016 | @sdupton

2. Disclaimers
• Experimental approach
• Unfinished work in progress
• I’m here to pitch an idea about undo, whose
principles have been field tested…
– ... But we need a UI for this.
– .... I’m working on it.
• Today, we’ll look at the pieces and talk about
them.
• Maybe find a way forward for practical undo?
#ploneconf2016 | @sdupton

3. Motivations
• Reasonable degree of interest on Github and
Twitter.
• Some of my users cost me hours fixing human
errors with programmatic monkey-wrenching.
• If we can use this programmatically in
repeatable ways, we can make something
user-facing, no?
• Because we cannot use ”Undo” to undo.
#ploneconf2016 | @sdupton

4. The basics: audit logging
• Audit log of all changes, stored in ZODB
– Logging now is synchronous, may be async in future,
TBD.
– Log all of:
• Deletion
• Modification
• Move
• Addition
– Log independent of Catalog.
– Handlers call logging system
• Logging components adapt site, use annotations.
#ploneconf2016 | @sdupton

5. Audit logging: usage
• Core components tested, but… still needs a
good UI.
• Outside of core use case, this could be used
for regulatory audit requirements (e.g. HIPAA).
• UI plan is enumerating in views:
– A view to enumerate changes, by “facility”
– A view to prune changes
• We may need better possible ZODB conflict
resolution strategy for queuing (LIFO insertion)
of modification facilities logged.
#ploneconf2016 | @sdupton

6. Okay, so you log every change?
• Right, and we will have view to enumerate
these changes, in reverse chronological
(insertion) order.
– With filtering
– With batching
• For regulatory logging, you could to this to a
data retention threshold before pruning, or not
prune this at all. The change records are
small.
#ploneconf2016 | @sdupton

7. Facility
• For each type of change we have a facility:
– Modifications
– Deletions
– Additions
– Moves / renames
• Each logs records with:
– UID
– Path
– Authenticated user
– Timestamp (python datetime, currently local time)
#ploneconf2016 | @sdupton

8. But what do we do with this?
FIX HUMAN ERRORS!
#ploneconf2016 | @sdupton

9. The plan
• I have used zc.beforestorage multiple times to
fix human errors, each time programmatically.
• If what you have is within your kept history,
going back in time is easy.
• We want to make this user-facing, not a
programmer’s problem.
• I’m creating a package called plone.wabac as
a transitional/experimental proof of concept.
– Now soliciting collaborators! J
#ploneconf2016 | @sdupton

10. plone.wabac
• WABAC == “wayback”
• Transitional add-on
• Half-finished
• May get exploded and
federated elsewhere.
• Assumed goal of
eventual PLIP, once
proven.
• Want this to be testable
by users, uninstallable
in meantime.
#ploneconf2016 | @sdupton

11. Restoration, not “Undo”
• We want to restore item to previous known-
good state:
– Before accidental deletion
– Before modification that was problematic.
• This might compete with CMFEditions, so may be a non-
problem.
• But my site stores non-content ZODB stuff on content objects,
so I cannot merely use CMFEditions for rollback.
– Before renaming or moving.
• User picks item from audit log, and clicks
“restore”. Or more than one item at a time.
#ploneconf2016 | @sdupton

12. zc.beforestorage
• Time-travel through your kept history.
• !! Requires you keep history.
• !! Requires you keep enough history.
– We could use this on kept FileStorage backups too, if
we were clever and did not want to only go through
live history.
• But that is not in scope yet, requires configuration.
• Mostly, I want to undo things easily when the
“Oh ****” phone call comes in.
– Or better, tell the site admin how to fix it.
#ploneconf2016 | @sdupton

13. Programmatic use
• Load storage wrapper programmatically.
• setSite() on the time-travelled version.
• Get your content;
• ZEXP export it;
• setSite() on live target;
• Restore from ZEXP.
• Repeat.
– Show example code
#ploneconf2016 | @sdupton

14. Security disclaimers
• We might want to be able to stop ability to
undo things (e.g. delete something very bad,
very quickly, and very permanently).
• My vision now is a site-wide audit logging
facility accessible to Site Administrator or
Manager role.
• We can make this placeful if we index audit
trail by path.
– Not yet in scope.
– Need to ponder permissions for restoration.
#ploneconf2016 | @sdupton

15. Next steps
• Finish the UI for enumeration, filtering, and
pruning of audit data.
• Come up with reasonable tactic for avoiding
conflict for audit logging key insertion.
• Views and adapters for restoration via
zc.beforestorage.
• Logging the restorations themselves.
• Prove concept universally useful, then PLIP it?
#ploneconf2016 | @sdupton

16. Questions?
… and feedback via:
#ploneconf2016 | @sdupton