policies/reputation: save to database directly#10059
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
✅ Deploy Preview for authentik-docs canceled.
|
c17571f to
5294625
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #10059 +/- ##
==========================================
- Coverage 92.64% 92.64% -0.01%
==========================================
Files 713 711 -2
Lines 34884 34854 -30
==========================================
- Hits 32317 32289 -28
+ Misses 2567 2565 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
b7132d1 to
6f1758a
Compare
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
542891b to
e756aac
Compare
| "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, | ||
| "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {}, | ||
| } | ||
| ) |
There was a problem hiding this comment.
We'll also need to update the expiry timestamp here based on the setting above...and maybe wrap this call in a transaction/catch errors as any saving here would prevent logins from happening due to this being in a sync signal
There was a problem hiding this comment.
Weird that the expiry wasn't updated previously.
There was a problem hiding this comment.
As for the catching exception, the previous code didn't and I think it's a good thing, as if we can't save the reputation score anywhere, you shouldn't be able to login as that data can be used for security purposes.
| def save_reputation(self: SystemTask): | ||
| """Save currently cached reputation to database""" | ||
| objects_to_update = [] | ||
| for _, score in cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*")).items(): |
There was a problem hiding this comment.
We might still want to keep this task around/update the other task to attempt to run a vacuum on this table occasionally since there could be quite a bit of writing/deleting to/from it.
There was a problem hiding this comment.
There's already the expiring model cleanup which will remove the expired data.
For vacuuming, I think we should let postgres' autovacuum do its thing for now, and if we have report that things are slow, we can implement that.
There was a problem hiding this comment.
true, although I dont know what the default settings for autovacuum are both for compose and k8s installs
There was a problem hiding this comment.
Should be pretty sensible, I think they're the same as a default postgres installation
| identifier=identifier, | ||
| defaults={ | ||
| "score": amount, | ||
| "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, |
There was a problem hiding this comment.
I think both this and ip_asn_data we should maybe dynamically fetch instead of storing in it in the database as the lookup can take quite a bit of time? And then we can cache results of GEOIP_CONTEXT_PROCESSOR based on the IP within the process? (or in redis..?) (maybe this is premature optimization)
There was a problem hiding this comment.
Everything should be in memory so it should be quite fast, maybe even faster than storing things in Redis.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
| indexes = [ | ||
| models.Index(fields=["identifier"]), | ||
| models.Index(fields=["ip"]), | ||
| models.Index(fields=["ip", "identifier"]), | ||
| ] |
There was a problem hiding this comment.
Not fully sure about those either, but it should help a bit
| "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, | ||
| "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {}, | ||
| } | ||
| ) |
There was a problem hiding this comment.
As for the catching exception, the previous code didn't and I think it's a good thing, as if we can't save the reputation score anywhere, you shouldn't be able to login as that data can be used for security purposes.
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362-arm64Afterwards, run the upgrade commands from the latest release notes. |
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* dev: (335 commits) website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094) website/developer-docs: add a baby Style Guide (#9900) website/integrations: gitlab: update certificate key pair location and specify sha (#9925) root: handle asgi exception (#10085) website: bump prettier from 3.3.1 to 3.3.2 in /website (#10082) web: bump prettier from 3.3.1 to 3.3.2 in /web (#10081) ...
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* main: (196 commits) website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094) website/developer-docs: add a baby Style Guide (#9900) website/integrations: gitlab: update certificate key pair location and specify sha (#9925) root: handle asgi exception (#10085) website: bump prettier from 3.3.1 to 3.3.2 in /website (#10082) web: bump prettier from 3.3.1 to 3.3.2 in /web (#10081) ...
Details
REPLACE ME
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make website)