New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xds: support built-in Stdout audit logger type #6298
Merged
Merged
Changes from 19 commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
4d8e4b7
Add test for building stdout logger
gtcooke94 f3b679c
Cleanup
gtcooke94 58b9e48
%s/steam/stream/
gtcooke94 599cb13
go mod tidy compat=1.17
gtcooke94 e5de42f
Add test with same name but generic config
gtcooke94 3f6f35a
mod tidy
gtcooke94 699a42f
vet
gtcooke94 218be79
mod tidy
gtcooke94 8d3c9c4
mod tidy
gtcooke94 f349cdc
mod tidy
gtcooke94 ed23d8f
Try different marshaler
gtcooke94 0861548
Address comment
gtcooke94 eb31885
Address comment
gtcooke94 32363cd
Cleanup test case
gtcooke94 5997a19
typo Stuct -> Struct
gtcooke94 ae08173
Address PR comments - cleanup getCustomConfig and testing types
gtcooke94 c283e73
unexport stdout logger
gtcooke94 2c689b1
Test cleanup
gtcooke94 58a309d
typo
gtcooke94 f719de2
simplify helper fn
gtcooke94 4cda2b3
use MarshalAny testutil
gtcooke94 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -17,12 +17,15 @@ | |||
package rbac | ||||
|
||||
import ( | ||||
"reflect" | ||||
"strings" | ||||
"testing" | ||||
|
||||
v3corepb "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" | ||||
v3rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" | ||||
v3auditloggersstreampb "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3" | ||||
"google.golang.org/grpc/authz/audit" | ||||
"google.golang.org/grpc/authz/audit/stdout" | ||||
"google.golang.org/protobuf/types/known/anypb" | ||||
) | ||||
|
||||
|
@@ -47,7 +50,7 @@ func (s) TestBuildLoggerErrors(t *testing.T) { | |||
loggerConfig: &v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig{ | ||||
AuditLogger: &v3corepb.TypedExtensionConfig{ | ||||
Name: "TestAuditLoggerBuffer", | ||||
TypedConfig: &anypb.Any{}, | ||||
TypedConfig: createUnsupportedPb(t), | ||||
}, | ||||
}, | ||||
expectedError: "custom config not implemented for type ", | ||||
|
@@ -102,13 +105,80 @@ func (s) TestBuildLoggerErrors(t *testing.T) { | |||
logger, err := buildLogger(test.loggerConfig) | ||||
if err != nil && !strings.HasPrefix(err.Error(), test.expectedError) { | ||||
t.Fatalf("expected error: %v. got error: %v", test.expectedError, err) | ||||
} else { | ||||
if logger != test.expectedLogger { | ||||
t.Fatalf("expected logger: %v. got logger: %v", test.expectedLogger, logger) | ||||
} | ||||
} | ||||
if logger != test.expectedLogger { | ||||
t.Fatalf("expected logger: %v. got logger: %v", test.expectedLogger, logger) | ||||
} | ||||
|
||||
}) | ||||
} | ||||
} | ||||
|
||||
func (s) TestBuildLoggerKnownTypes(t *testing.T) { | ||||
tests := []struct { | ||||
name string | ||||
loggerConfig *v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig | ||||
expectedType reflect.Type | ||||
}{ | ||||
{ | ||||
name: "stdout logger", | ||||
rockspore marked this conversation as resolved.
Show resolved
Hide resolved
|
||||
loggerConfig: &v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig{ | ||||
AuditLogger: &v3corepb.TypedExtensionConfig{ | ||||
Name: stdout.Name, | ||||
TypedConfig: createStdoutPb(t), | ||||
}, | ||||
IsOptional: false, | ||||
}, | ||||
expectedType: reflect.TypeOf(audit.GetLoggerBuilder(stdout.Name).Build(nil)), | ||||
}, | ||||
{ | ||||
name: "stdout logger with generic TypedConfig", | ||||
loggerConfig: &v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig{ | ||||
AuditLogger: &v3corepb.TypedExtensionConfig{ | ||||
Name: stdout.Name, | ||||
TypedConfig: createXDSTypedStruct(t, map[string]interface{}{}, stdout.Name), | ||||
}, | ||||
IsOptional: false, | ||||
}, | ||||
expectedType: reflect.TypeOf(audit.GetLoggerBuilder(stdout.Name).Build(nil)), | ||||
}, | ||||
} | ||||
for _, test := range tests { | ||||
t.Run(test.name, func(t *testing.T) { | ||||
logger, err := buildLogger(test.loggerConfig) | ||||
if err != nil { | ||||
t.Fatalf("expected success. got error: %v", err) | ||||
dfawley marked this conversation as resolved.
Show resolved
Hide resolved
|
||||
} | ||||
loggerType := reflect.TypeOf(logger) | ||||
if test.expectedType != loggerType { | ||||
t.Fatalf("logger not of expected type. want: %v got: %v", test.expectedType, loggerType) | ||||
} | ||||
}) | ||||
} | ||||
} | ||||
|
||||
// Builds stdout config for audit logger proto. | ||||
func createStdoutPb(t *testing.T) *anypb.Any { | ||||
t.Helper() | ||||
pb := &v3auditloggersstreampb.StdoutAuditLog{} | ||||
customConfig, err := anypb.New(pb) | ||||
if err != nil { | ||||
t.Fatalf("createStdoutPb failed during anypb.New: %v", err) | ||||
} | ||||
return customConfig | ||||
} | ||||
|
||||
// Builds a config with a nonsensical type in the anypb.Any. | ||||
func createUnsupportedPb(t *testing.T) *anypb.Any { | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you might be able to re-use grpc-go/internal/testutils/marshal_any.go Line 30 in 59134c3
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed |
||||
t.Helper() | ||||
// This type doesn't make sense to have here, it could realistically be any | ||||
// proto that is not accepted in our custom config parsing. This was chosen | ||||
// because it is already imported. | ||||
pb := &v3rbacpb.RBAC_AuditLoggingOptions{} | ||||
customConfig, err := anypb.New(pb) | ||||
if err != nil { | ||||
t.Fatalf("createStdoutPb failed during anypb.New: %v", err) | ||||
} | ||||
return customConfig | ||||
|
||||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are all loggers going to be registered with a
_logger
suffix? Isn't this redundant? Is this standardized across languages or no?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I don't have strong preference on whether to keep this suffix, we are using the same name in C++ and it will be the same across languages such that the same authz policy can work everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was previously hardcoded here
I was just pulling it out to be an exported const so it could be looked up.
I'd be okay to change the name to
stdout
, what do you think @rocksporeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh wait..should this just not even be in the registry at all? It seems like it's a built-in type that we support and not something that is supposed to be supported via the registry for generic loggers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the intention with the built in types is that we place them in the registry for use -
grpc-go/authz/audit/stdout/stdout_logger.go
Lines 34 to 38 in a6e1acf
@rockspore please check me here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is no strong preference, I'm leaning towards keeping it as is so that we don't have to change what's already in C++ and the latest gRFC PR.
We use the same registry for built-in loggers. We just pre-register them by importing the pkg here. The registry API probably needs to prevent the built-in types from being overwritten.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't sound right to me.
I think the built-in types should be hard-coded and not be present in the registry. IIUC the registry is for the custom types that users can implement. AFAICT there's no need to put the built-in types into the registry. It buys us nothing and seems to have some downsides.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is an important but tangential-to-this-pr point to iron out.
@dfawley how would you feel about keeping this PR going as if the current behavior is the right behavior.
Then, we can resolve this separately, and if we change how the stdout logger is constructed we will update that in a separate PR.
As the audit logging is currently implemented, this is the correct way to do it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, maybe this is fine. This is still pretty similar to our LB policy design this was based on. The difference here is that the two steps of converting from xds config to local config and then building are so close together that it seems unnecessary to have them be separate. But they're separate because we intend for them to be used through other pathways than xDS, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, we tried to stay similar to the LB policy for consistency
Yes, it can come through here through
NewStatic