Auditing information in the app

Periodically, you should verify that the information in the app matches what’s actually on AnVIL. The app provides a number of model methods, typically named anvil_audit, to help with this auditing, as well as objects that store the results of an audit.

Audit results classes

Results from an audit are returned as an object that is a subclass of AnVILAuditResults. The subclasses have a method ok() that indicates if the audit was successful or if any errors were detected. It also can list the set of model instances in the app that were audited against AnVIL using get_verified(); a dictionary of model instances with detected errors and the errors themselves using get_errors(); and the set of records that exist on AnVIL but are not in the app using get_not_in_app().

Different models check different things and have different potential errors.

Model-specific auditing

Billing project auditing

The BillingProject model provides a class method anvil_audit() that runs on all BillingProject model instances in the app. This method runs the following checks:

All BillingProject model instances in the app also exist on AnVIL.

It does not check if there are Billing Projects on AnVIL that don’t have a record in the app.

Account auditing

The Account model provides a class method anvil_audit() that runs on all Account model instances in the app. This method runs the following checks:

All Account model instances in the app also exist on AnVIL.

It does not check if there are Accounts on AnVIL that don’t have a record in the app, since this is expected to be the case.

Managed Group auditing

The ManagedGroup model provides two options for auditing: an instance method anvil_audit() to check membership for a single ManagedGroup, and a class method anvil_audit() that runs on all ManagedGroup model instances in the app.

The anvil_audit_membership() method runs the following checks:

All ManagedGroup model instances in the app also exist on AnVIL.

The service account running the app has the same role (admin vs member) in the app as on AnVIL.

The membership of each group in the app matches the membership on AnVIL (using anvil_audit_membership() method for each ManagedGroup).

No groups that have the app service account as an Admin exist on AnVIL.

The anvil_audit_membership() method runs the following checks for a single ManagedGroup instance:

All account members of this ManagedGroup in the app are also members in AnVIL.

All account admin of this ManagedGroup in the app are also admin in AnVIL.

All group members of this ManagedGroup in the app are also members in AnVIL.

All group admin of this ManagedGroup in the app are also admin in AnVIL.

All admin in AnVIL are also recorded in the app.

All members in AnVIL are also recorded in the app.

Workspace auditing

As for ManagedGroups, the Workspace model provides two options for auditing: an instance method anvil_audit() to check access for a single Workspace, and a class method anvil_audit() that runs on all Workspace model instances in the app.

The anvil_audit() method runs the following checks:

All Workspace model instances in the app also exist on AnVIL.

The service account running the app is an owner on AnVIL of all the Workspace model instances.

The Workspace has the same authorization domains in the app as on AnVIL.

The access to each Workspace in the app matches the access on AnVIL (using anvil_audit_access() method for each Workspace).

No workspaces that have the app service account as an owner exist on AnVIL.

The anvil_audit_membership() method runs the following checks for a single Workspace instance:

All groups that have access in the app also have access in AnVIL.

Each ManagedGroup that has access in the app has the same access in AnVIL.

The can_compute value is the same in the app and on AnVIL.

The can_share value is the same in the app and on AnVIL.

No groups or accounts on AnVIL have access to the workspace that are not recorded in the app.

Running audits

Auditing views

The app provides a number of views for auditing various models.

BillingProject: BillingProjectAudit (accessible from default navbar)

Account: AccountAudit (accessible from default navbar)

ManagedGroup: ManagedGroupAudit (accessible from default navbar)

Workspace: WorkspaceAudit (accessible from default navbar)

Workspaces and ManagedGroups have additional audit views that can audit the sharing and membership, respectively.

ManagedGroup membership: ManagedGroupMembershipAudit (accessible from Managed Group detail page)
Workspace sharing: WorkspaceSharingAudit (accessible from the Workspace detail page)

Auditing via management command

The app also provides a management command (run_anvil_audit) that can run audits and (optionally) send an email report. This command can be used to run audits on a regular schedule, e.g., weekly audits via a cron job.

Here are some examples of calling this command:

# To audit all models and print a report to the terminal.
python manage.py run_anvil_audit

# To audit all models and send an email report to test@example.com.
python manage.py run_anvil_audit --email test@example.com

# To audit just the BillingProject and Account models.
python manage.py run_anvil_audit --models BillingProject Account

More information can be found in the help for run_anvil_audit.