collect metrics for RBAC shadow policy#4062
Conversation
2c46cd5 to
f1b007d
Compare
There was a problem hiding this comment.
snake_case for all function parameters and local variables (throughout)
There was a problem hiding this comment.
Do we want to validate if there is a dup of policy ID?
There was a problem hiding this comment.
should be fine since rules.policies is map which guarantees no dup.
There was a problem hiding this comment.
filter_metadata() is not scoped to each filter, at least you should add .at(HttpFilterNames::get().Rbac) at the end.
There was a problem hiding this comment.
make Struct first and then merge once?
9840cd8 to
0b97f68
Compare
|
@lizan , seems the error is due to some files was removed recently, sync to latest master and see. |
Signed-off-by: Quanjie Lin <quanlin@google.com>
Signed-off-by: Quanjie Lin <quanlin@google.com>
1eb2e8c to
9d70d38
Compare
mattklein123
left a comment
There was a problem hiding this comment.
Few small comments, thank you!
| virtual bool allowed(const Network::Connection& connection, const Envoy::Http::HeaderMap& headers, | ||
| const envoy::api::v2::core::Metadata& metadata) const PURE; | ||
| const envoy::api::v2::core::Metadata& metadata, | ||
| std::string& effective_policy_id) const PURE; |
There was a problem hiding this comment.
added comment for effective_policy_id
| const absl::optional<Filters::Common::RBAC::RoleBasedAccessControlEngineImpl>& shadow_engine = | ||
| config_->engine(callbacks_->route(), EnforcementMode::Shadow); | ||
| if (shadow_engine.has_value()) { | ||
| std::string shadow_resp_code = "200"; |
There was a problem hiding this comment.
Can we switch these to static constants.
| if (filter_it != filter_metadata.end()) { | ||
| ProtobufWkt::Struct metrics; | ||
|
|
||
| if (effective_policy_id != "") { |
There was a problem hiding this comment.
nit: !effective_policy_id.empty() (can this happen btw, isn't every policy named even if default?)
There was a problem hiding this comment.
updated.(when there is no matching policy found in allowed , effective_policy_id here is default to be empty)
| if (effective_policy_id != "") { | ||
| ProtobufWkt::Value policy_id; | ||
| policy_id.set_string_value(effective_policy_id); | ||
| (*metrics.mutable_fields())["shadow_effective_policyID"] = policy_id; |
There was a problem hiding this comment.
Static constants for "shadow_effective_policyID" to avoid construction (same below)
| if (engine.has_value()) { | ||
| if (engine->allowed(*callbacks_->connection(), headers, | ||
| callbacks_->requestInfo().dynamicMetadata())) { | ||
| callbacks_->requestInfo().dynamicMetadata(), effective_policy_id)) { |
There was a problem hiding this comment.
Why don't we use this value here? Can we avoid cost by passing nullptr and not filling/copying?
There was a problem hiding this comment.
we only need effective_policy_id for shadow case for now(can add later if needed); nullptr is invalid since allowed takes std::string& ?
There was a problem hiding this comment.
I would make it take std::string* then.
Signed-off-by: Quanjie Lin <quanlin@google.com>
Signed-off-by: Quanjie Lin <quanlin@google.com>
mattklein123
left a comment
There was a problem hiding this comment.
LGTM, small comment. Thanks!
| * @param headers the headers of the incoming request used to identify the action/principal. An | ||
| * empty map should be used if there are no headers available. | ||
| * @param metadata the metadata with additional information about the action/principal. | ||
| * @param effective_policy_id the matching policy's ID to identity the source of the allow/deny. |
There was a problem hiding this comment.
Can you specify that this will be filled with the policy ID? It sounds like it's an input parameter.
There was a problem hiding this comment.
updated comment; thank you for the review !
Signed-off-by: Quanjie Lin <quanlin@google.com>
|
/cc @liminw @qiwzhang @diemtvu @yangminzhu FYI. |
Description:
To complete RBAC policy dark launch from envoy side(#3552), shadow policy metrics needs to be collected(shadow response code + effective policyID); so that we could use those metrics to build report/dashboard to monitor dark launch policy running result.
Risk Level: Low
Signed-off-by: Quanjie Lin quanlin@google.com