synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-13 21:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: More complete tracing for RBAC functions (#5690)

Browse Source 
* chore: More complete tracing for RBAC functions
* Add input.json as example rbac input for rego cli

The input.json is required to play with the rego cli and debug
the policy without golang. It is good to have an example to run
the commands in the readme.md

* Add span events to capture authorize and prepared results
* chore: Add prometheus metrics to rbac authorizer
This commit is contained in:
Steven Masley
2023-01-13 16:07:15 -06:00
committed by GitHub
parent e821b98918
commit eb48341696
12 changed files with 425 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
coderd/rbac/partial.go
View File

@ -5,6 +5,8 @@ import (
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/rego"
"go.opentelemetry.io/otel/attribute"
"go.opentelemetry.io/otel/trace"
"golang.org/x/xerrors"
"github.com/coder/coder/coderd/rbac/regosql"
@ -28,7 +30,15 @@ type PartialAuthorizer struct {
var _ PreparedAuthorized = (*PartialAuthorizer)(nil)
func (pa *PartialAuthorizer) CompileToSQL(cfg regosql.ConvertConfig) (string, error) {
func (pa *PartialAuthorizer) CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error) {
_, span := tracing.StartSpan(ctx, trace.WithAttributes(
// Query count is a rough indicator of the complexity of the query
// that needs to be converted into SQL.
attribute.Int("query_count", len(pa.preparedQueries)),
attribute.Bool("always_true", pa.alwaysTrue),
))
defer span.End()
filter, err := Compile(cfg, pa)
if err != nil {
return "", xerrors.Errorf("compile: %w", err)
@ -41,7 +51,8 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
return nil
}
// No queries means always false
// If we have no queries, then no queries can return 'true'.
// So the result is always 'false'.
if len(pa.preparedQueries) == 0 {
return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
}
@ -111,9 +122,6 @@ EachQueryLoop:
}
func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
ctx, span := tracing.StartSpan(ctx)
defer span.End()
input := map[string]interface{}{
"subject": authSubject{
ID: subjectID,