Skip to content

Commit d5d280c

Browse files
[envoy][rbac] Rule prefix tags (#17392)
* [envoy][rbac] Add shadow_rule_prefix tag to shadow_allowed metric * [envoy][rbac] Add rule_prefix tag to denied and allowed metric * [envoy][rbac] Clarify how optional tags are tested * [envoy][rbac] Changelog * test tag rename function * comments * lint * better implementation * better comment --------- Co-authored-by: steveny91 <steven.yuen@datadoghq.com>
1 parent 99afced commit d5d280c

File tree

9 files changed

+59
-26
lines changed

9 files changed

+59
-26
lines changed

envoy/changelog.d/17392.added

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Add shadow_rule_prefix tag for shadow_allowed RBAC metric and rule_prefix tag for allowed and denied RBAC metric

envoy/datadog_checks/envoy/envoy.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,6 @@ def check(self, _):
149149
continue
150150

151151
tags.extend(self.custom_tags)
152-
153152
try:
154153
value = int(value)
155154
get_method(self, method)(metric, value, tags=tags)

envoy/datadog_checks/envoy/metrics.py

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3873,7 +3873,7 @@
38733873
'http.rbac.allowed': {
38743874
'tags': (
38753875
('stat_prefix',),
3876-
(),
3876+
('rule_prefix',),
38773877
(),
38783878
),
38793879
'method': 'monotonic_count',
@@ -3897,7 +3897,7 @@
38973897
'http.rbac.shadow_denied': {
38983898
'tags': (
38993899
('stat_prefix',),
3900-
('shadow_rule_prefix',),
3900+
(),
39013901
(),
39023902
),
39033903
'method': 'monotonic_count',
@@ -3952,5 +3952,17 @@
39523952
}
39533953
# fmt: on
39543954

3955+
3956+
LEGACY_TAG_OVERWRITE = {
3957+
# The legacy approach gave very little ability for modifications to be done to tags.
3958+
# This dict allows us to fine tune and replace tags as needed.
3959+
'http.rbac.shadow_denied': {
3960+
'rule_prefix': 'shadow_rule_prefix',
3961+
},
3962+
'http.rbac.shadow_allowed': {
3963+
'rule_prefix': 'shadow_rule_prefix',
3964+
},
3965+
}
3966+
39553967
MOD_METRICS = modify_metrics_dict(METRICS)
39563968
METRIC_TREE = make_metric_tree(METRICS)

envoy/datadog_checks/envoy/parser.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
from six.moves import range, zip
1010

1111
from .errors import UnknownMetric, UnknownTags
12-
from .metrics import METRIC_PREFIX, METRIC_TREE, MOD_METRICS
12+
from .metrics import LEGACY_TAG_OVERWRITE, METRIC_PREFIX, METRIC_TREE, MOD_METRICS
1313

1414
HISTOGRAM = re.compile(r'([P0-9.]+)\(([^,]+)')
1515
PERCENTILE_SUFFIX = {
@@ -136,6 +136,13 @@ def parse_metric(metric, retry=False, metric_mapping=METRIC_TREE, disable_legacy
136136
except ValueError:
137137
pass
138138

139+
# Check to see if parsed_metric is in the LEGACY_TAG_OVERWRITE dict and replace the tag name if it is
140+
if parsed_metric in LEGACY_TAG_OVERWRITE:
141+
for k, v in LEGACY_TAG_OVERWRITE[parsed_metric].items():
142+
if k in tag_names:
143+
idx = tag_names.index(k)
144+
tag_names[idx] = v
145+
139146
tags = ['{}:{}'.format(tag_name, tag_value) for tag_name, tag_value in zip(tag_names, tag_values)]
140147

141148
return METRIC_PREFIX + parsed_metric, tags, MOD_METRICS[parsed_metric]['method']
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
http.foo_buz_enforce.rbac.allowed: 0
2+
http.foo_buz_enforce.rbac.denied: 1
3+
http.foo_buz_enforce.rbac.rule_prefix.allowed: 2
4+
http.foo_buz_enforce.rbac.rule_prefix.denied: 3

envoy/tests/fixtures/legacy/rbac_metric.txt

Lines changed: 0 additions & 8 deletions
This file was deleted.
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
http.foo_buz_shadow.rbac.shadow_allowed: 0
2+
http.foo_buz_shadow.rbac.shadow_denied: 1
3+
http.foo_buz_shadow.rbac.shadow_rule_prefix.shadow_allowed: 2
4+
http.foo_buz_shadow.rbac.shadow_rule_prefix.shadow_denied: 3

envoy/tests/legacy/common.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,9 +61,14 @@
6161

6262
CONNECTION_LIMIT_STAT_PREFIX_TAG = ['stat_prefix:ingress_http']
6363

64-
RBAC_METRICS = [
64+
RBAC_ENFORCE_METRICS = [
6565
"envoy.http.rbac.allowed",
6666
"envoy.http.rbac.denied",
67+
]
68+
69+
RBAC_SHADOW_METRICS = [
6770
"envoy.http.rbac.shadow_allowed",
6871
"envoy.http.rbac.shadow_denied",
6972
]
73+
74+
RBAC_METRICS = RBAC_ENFORCE_METRICS + RBAC_SHADOW_METRICS

envoy/tests/legacy/test_unit.py

Lines changed: 22 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,8 @@
2121
INSTANCES,
2222
LOCAL_RATE_LIMIT_METRICS,
2323
RATE_LIMIT_STAT_PREFIX_TAG,
24-
RBAC_METRICS,
24+
RBAC_ENFORCE_METRICS,
25+
RBAC_SHADOW_METRICS,
2526
)
2627

2728
CHECK_NAME = 'envoy'
@@ -256,7 +257,7 @@ def test_metadata_not_collected(datadog_agent, check):
256257

257258

258259
@pytest.mark.parametrize(
259-
('fixture_file', 'metrics', 'standard_tags', 'additional_tags'),
260+
('fixture_file', 'metrics', 'standard_tags', 'optional_tags'),
260261
[
261262
(
262263
'./legacy/stat_prefix',
@@ -265,15 +266,22 @@ def test_metadata_not_collected(datadog_agent, check):
265266
['stat_prefix:bar'],
266267
),
267268
(
268-
'./legacy/rbac_metric.txt',
269-
RBAC_METRICS,
270-
['stat_prefix:foo_buz_112'],
269+
'./legacy/rbac_enforce_metrics.txt',
270+
RBAC_ENFORCE_METRICS,
271+
['stat_prefix:foo_buz_enforce'],
272+
['rule_prefix:rule_prefix'],
273+
),
274+
(
275+
'./legacy/rbac_shadow_metrics.txt',
276+
RBAC_SHADOW_METRICS,
277+
['stat_prefix:foo_buz_shadow'],
271278
['shadow_rule_prefix:shadow_rule_prefix'],
272279
),
273280
],
274281
ids=[
275282
"stats_prefix_ext_auth",
276-
"rbac_prefix_shadow",
283+
"rbac_enforce_metrics",
284+
"rbac_shadow_metrics",
277285
],
278286
)
279287
def test_stats_prefix_optional_tags(
@@ -285,25 +293,26 @@ def test_stats_prefix_optional_tags(
285293
fixture_file,
286294
metrics,
287295
standard_tags,
288-
additional_tags,
296+
optional_tags,
289297
):
290298
instance = INSTANCES['main']
291299
standard_tags.append('endpoint:{}'.format(instance["stats_url"]))
292-
tags_prefix = standard_tags + additional_tags
293300
c = check(instance)
294301
mock_http_response(file_path=fixture_path(fixture_file))
295302
dd_run_check(c)
296303

297-
# To ensure that this change didn't break the old behavior, both the value and the tags are asserted.
298-
# The fixture is created with a specific value and the EXT_METRICS list is done in alphabetical order
299-
# allowing for value to also be asserted
304+
# To test the absence and presence of the optional tags, both the value and the tags are asserted.
305+
# The fixtures must list all metrics, first without and then with the optional tags.
300306
for index, metric in enumerate(metrics):
307+
# Without optional tags.
308+
aggregator.assert_metric(metric, value=index, tags=standard_tags)
309+
310+
# With optional tags.
301311
aggregator.assert_metric(
302312
metric,
303313
value=index + len(metrics),
304-
tags=tags_prefix,
314+
tags=standard_tags + optional_tags,
305315
)
306-
aggregator.assert_metric(metric, value=index, tags=standard_tags)
307316

308317

309318
def test_local_rate_limit_metrics(aggregator, fixture_path, mock_http_response, check, dd_run_check):

0 commit comments

Comments
 (0)