From 4ca9e5992decad4728d3b98a6be6f463350f37e6 Mon Sep 17 00:00:00 2001 From: Ningning Cheng Date: Thu, 9 Feb 2023 15:41:09 -0800 Subject: [PATCH 1/3] add authz log only metric --- pkg/mongoproxy/plugins/authz/plugin.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/mongoproxy/plugins/authz/plugin.go b/pkg/mongoproxy/plugins/authz/plugin.go index af32cae..626c902 100644 --- a/pkg/mongoproxy/plugins/authz/plugin.go +++ b/pkg/mongoproxy/plugins/authz/plugin.go @@ -29,6 +29,10 @@ var ( Name: "mongoproxy_plugins_authz_deny_total", Help: "The total deny returns of a command", }, []string{"db", "collection", "command"}) + authzLogOnly = promauto.NewCounterVec(prometheus.CounterOpts{ + Name: "mongoproxy_plugins_authz_logonly_total", + Help: "The total num of cmd that hit log only policy", + }, []string{"type", "user", "policy", "effect", "method", "resource", "command", "db", "collection"}) OPEN_COMMAND = map[string]struct{}{ "isMaster": {}, @@ -540,6 +544,7 @@ func (p *AuthzPlugin) Process(ctx context.Context, r *plugins.Request, next plug identitiesStrings = make([][]string, len(identities)) for i, id := range identities { identitiesStrings[i] = []string{id.Type(), id.User()} + authzLogOnly.WithLabelValues(id.Type(), id.User(), logRule.PolicyName, logRule.Effect.String(), result.AuthorizationMethod.String(), result.Resource.String(), r.CommandName, command.GetCommandDatabase(r.Command), command.GetCommandCollection(r.Command)).Inc() } } logrus.NewEntry(logrus.StandardLogger()).WithFields(logrus.Fields{ From 06ea002ad8c3daa1001f35d58fb6eb9aeea4b1e0 Mon Sep 17 00:00:00 2001 From: Ningning Cheng Date: Wed, 24 May 2023 18:44:49 -0700 Subject: [PATCH 2/3] add debugging output --- pkg/mongoproxy/plugins/authz/plugin.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/mongoproxy/plugins/authz/plugin.go b/pkg/mongoproxy/plugins/authz/plugin.go index 626c902..cc0ae0f 100644 --- a/pkg/mongoproxy/plugins/authz/plugin.go +++ b/pkg/mongoproxy/plugins/authz/plugin.go @@ -544,7 +544,8 @@ func (p *AuthzPlugin) Process(ctx context.Context, r *plugins.Request, next plug identitiesStrings = make([][]string, len(identities)) for i, id := range identities { identitiesStrings[i] = []string{id.Type(), id.User()} - authzLogOnly.WithLabelValues(id.Type(), id.User(), logRule.PolicyName, logRule.Effect.String(), result.AuthorizationMethod.String(), result.Resource.String(), r.CommandName, command.GetCommandDatabase(r.Command), command.GetCommandCollection(r.Command)).Inc() + log.Println("Hitting metric mongoproxy_plugins_authz_logonly_total...") + authzLogOnly.WithLabelValues(id.Type(), id.User(), logRule.PolicyName, logRule.Effect.String(), result.AuthorizationMethod.String(), result.Resource.String(), r.CommandName, command.GetCommandDatabase(r.Command), command.GetCommandCollection(r.Command)).Inc() } } logrus.NewEntry(logrus.StandardLogger()).WithFields(logrus.Fields{ From dd739271391c34281b7ede953421a27005ed4058 Mon Sep 17 00:00:00 2001 From: Ningning Cheng Date: Wed, 24 May 2023 19:31:50 -0700 Subject: [PATCH 3/3] move outside if --- pkg/mongoproxy/plugins/authz/plugin.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/mongoproxy/plugins/authz/plugin.go b/pkg/mongoproxy/plugins/authz/plugin.go index cc0ae0f..8690f89 100644 --- a/pkg/mongoproxy/plugins/authz/plugin.go +++ b/pkg/mongoproxy/plugins/authz/plugin.go @@ -542,11 +542,11 @@ func (p *AuthzPlugin) Process(ctx context.Context, r *plugins.Request, next plug for _, logRule := range result.LogOnlyRules { if identitiesStrings == nil { identitiesStrings = make([][]string, len(identities)) - for i, id := range identities { - identitiesStrings[i] = []string{id.Type(), id.User()} - log.Println("Hitting metric mongoproxy_plugins_authz_logonly_total...") - authzLogOnly.WithLabelValues(id.Type(), id.User(), logRule.PolicyName, logRule.Effect.String(), result.AuthorizationMethod.String(), result.Resource.String(), r.CommandName, command.GetCommandDatabase(r.Command), command.GetCommandCollection(r.Command)).Inc() - } + } + for i, id := range identities { + identitiesStrings[i] = []string{id.Type(), id.User()} + log.Println("Hitting metric mongoproxy_plugins_authz_logonly_total...") + authzLogOnly.WithLabelValues(id.Type(), id.User(), logRule.PolicyName, logRule.Effect.String(), result.AuthorizationMethod.String(), result.Resource.String(), r.CommandName, command.GetCommandDatabase(r.Command), command.GetCommandCollection(r.Command)).Inc() } logrus.NewEntry(logrus.StandardLogger()).WithFields(logrus.Fields{ "identities": identitiesStrings,