Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add authorize operation metrics #206

Merged
merged 1 commit into from
Oct 15, 2024
Merged

feat: add authorize operation metrics #206

merged 1 commit into from
Oct 15, 2024

Conversation

jeqo
Copy link
Contributor

@jeqo jeqo commented Oct 11, 2024

Currently, the only way to troubleshoot denied operations is by going to the log.
To make this easier, there are a couple of metrics being added: one for each result type.
Allowed operations are tagged by operation, so the cardinality is bound to the type of operations.
Denied operations are tagged further with resource and principal. Even though this increases the cardinality considerably, it should only be used for the cases where there are authorization issues.

@jeqo jeqo marked this pull request as ready for review October 12, 2024 17:21
@jeqo jeqo requested review from a team as code owners October 12, 2024 17:21
@jeqo jeqo force-pushed the jeqo/metrics branch 2 times, most recently from 9077473 to 7e149b2 Compare October 15, 2024 06:44
jeqo
jeqo commented Oct 15, 2024
View reviewed changes
src/main/java/io/aiven/kafka/auth/AivenAclAuthorizerConfig.java Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding standard kafka metrics configurations (available in other modules using kafka-metrics).

src/main/java/io/aiven/kafka/auth/AivenAclAuthorizerMetrics.java
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.authorizer.AuthorizationResult;

public class AivenAclAuthorizerMetrics {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding total/rate metrics for allowed/denied operations:

  • Allowed tagged by operation to know e.g. which operation may be rising.
  • Denied tagged by op/resource/principal to know e.g. which client is failing to authenticate to which resource.

@jeqo jeqo requested a review from biggusdonzus October 15, 2024 06:46
@jeqo
feat: add authorize operation metrics
6f348d4 
Currently, the only way to troubleshoot denied operations is by going to
the log.
To make this easier, there are a couple of metrics being added:
one for each result type.
Allowed operations are tagged by operation, so the cardinality is bound
to the type of operations.
Denied operations are tagged further with resource and principal.
Even though this increases the cardinality considerably, it should only
be used for the cases where there are authorization issues.
biggusdonzus
biggusdonzus approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@biggusdonzus biggusdonzus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@biggusdonzus biggusdonzus merged commit 0e175d1 into main Oct 15, 2024
4 checks passed
@biggusdonzus biggusdonzus deleted the jeqo/metrics branch October 15, 2024 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@biggusdonzus biggusdonzus biggusdonzus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeqo @biggusdonzus