[AzPubSub] Adding tags/dimensions for Authorizer and Authenticator metrics (#64)

yangguo-ms · senthilm-ms · commit 60d55ccb138b · 2021-06-10T17:24:29.000-07:00
diff --git a/azpubsub/src/main/java/com/microsoft/azpubsub/security/auth/AzPubSubPrincipal.java b/azpubsub/src/main/java/com/microsoft/azpubsub/security/auth/AzPubSubPrincipal.java
@@ -25,10 +25,17 @@
  */
 public class AzPubSubPrincipal extends KafkaPrincipal {
     private Set<String> roles;
+    private String principalStr;
 
     public AzPubSubPrincipal(String principalType, String name, Set<String> roles) {
         super(principalType, name);
         this.roles = roles;
+        this.principalStr = "";
+        if (roles.size() > 1) {
+            this.principalStr = roles.stream().skip(1).findFirst().orElse("");
+        } else {
+            this.principalStr = roles.stream().findFirst().orElse("");
+        }
     }
 
     public Set<String> getRoles() {
@@ -46,4 +53,8 @@ public boolean equals(Object o) {
     public int hashCode() {
         return super.hashCode();
     }
+
+    public String getPrincipalName() {
+        return principalStr;
+    }
 }
diff --git a/azpubsub/src/main/scala/com/microsoft/azpubsub/security/AuthenticatorMetrics.scala b/azpubsub/src/main/scala/com/microsoft/azpubsub/security/AuthenticatorMetrics.scala
@@ -0,0 +1,84 @@
+package com.microsoft.azpubsub.security
+
+import com.yammer.metrics.core.Meter
+import kafka.utils.Pool
+
+import java.util.concurrent.TimeUnit
+import scala.jdk.CollectionConverters._
+
+class AuthenticatorMetrics(tags: scala.collection.Map[String, String]) extends AzPubSubSecurityMetrics {
+
+    case class MeterWrapper(metricType: String, eventType: String) {
+        @volatile private var lazyMeter: Meter = _
+        private val meterLock = new Object
+
+        def meter(): Meter = {
+            var meter = lazyMeter
+            if (meter == null) {
+                meterLock synchronized {
+                    meter = lazyMeter
+                    if (meter == null) {
+                        meter = newMeter(metricType, eventType, TimeUnit.SECONDS, tags)
+                        lazyMeter = meter
+                    }
+                }
+            }
+            meter
+        }
+
+        if (tags.isEmpty) // greedily initialize the general topic metrics
+            meter()
+    }
+
+    // an internal map for "lazy initialization" of certain metrics
+    private val metricTypeMap = new Pool[String, MeterWrapper]
+    metricTypeMap.putAll(Map(
+        AuthenticatorStats.AuthenticatorServerSuccessPerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorServerSuccessPerSec, "success"),
+        AuthenticatorStats.AuthenticatorServerFailurePerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorServerFailurePerSec, "failure"),
+        AuthenticatorStats.AuthenticatorClientSuccessPerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorClientSuccessPerSec, "success"),
+        AuthenticatorStats.AuthenticatorClientFailurePerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorClientFailurePerSec, "failure"),
+        AuthenticatorStats.AuthenticatorClientTrustDisabledPerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorClientTrustDisabledPerSec, "success"),
+        AuthenticatorStats.AuthenticatorDsmsCertCacheSuccessPerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorDsmsCertCacheSuccessPerSec, "success"),
+        AuthenticatorStats.AuthenticatorDsmsCertCacheFailurePerSec -> MeterWrapper(AuthenticatorStats.AuthenticatorDsmsCertCacheFailurePerSec, "failure"),
+    ).asJava)
+
+    def serverSuccessRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorServerSuccessPerSec).meter()
+
+    def serverFailureRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorServerFailurePerSec).meter()
+
+    def clientSuccessRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorClientSuccessPerSec).meter()
+
+    def clientFailureRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorClientFailurePerSec).meter()
+
+    def clientTrustDisabledRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorClientTrustDisabledPerSec).meter()
+
+    def dsmsCertCacheSuccessRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorDsmsCertCacheSuccessPerSec).meter()
+
+    def dsmsCertCacheFailureRate = metricTypeMap.get(AuthenticatorStats.AuthenticatorDsmsCertCacheFailurePerSec).meter()
+}
+
+object AuthenticatorStats {
+    val AuthenticatorServerSuccessPerSec = "AuthenticatorServerSuccessPerSec"
+    val AuthenticatorServerFailurePerSec = "AuthenticatorServerFailurePerSec"
+    val AuthenticatorClientSuccessPerSec = "AuthenticatorClientSuccessPerSec"
+    val AuthenticatorClientFailurePerSec = "AuthenticatorClientFailurePerSec"
+    val AuthenticatorClientTrustDisabledPerSec = "AuthenticatorClientTrustDisabledPerSec"
+    val AuthenticatorDsmsCertCacheSuccessPerSec = "AuthenticatorDsmsCertCacheSuccessPerSec"
+    val AuthenticatorDsmsCertCacheFailurePerSec = "AuthenticatorDsmsCertCacheFailurePerSec"
+}
+
+class AuthenticatorStats {
+    private val stats = new Pool[String, AuthenticatorMetrics]
+
+    def allStats(identity: String, authType: String): AuthenticatorMetrics = {
+        val identityStr = identity.replaceAll(",", "_").replaceAll("\\\\\\\\", "_").replaceAll("\\\\", "_")
+        val tags: scala.collection.Map[String, String] = Map("auth-type" -> authType, "identity" -> identityStr)
+
+        val key = authType + identityStr
+        if (!stats.contains(key)) {
+            stats.put(key, new AuthenticatorMetrics(tags))
+        }
+
+        stats.get(key)
+    }
+}
diff --git a/azpubsub/src/main/scala/com/microsoft/azpubsub/security/auth/AzPubSubAclAuthorizer.scala b/azpubsub/src/main/scala/com/microsoft/azpubsub/security/auth/AzPubSubAclAuthorizer.scala
@@ -3,27 +3,25 @@ package com.microsoft.azpubsub.security.auth
 import com.typesafe.scalalogging.Logger
 import com.yammer.metrics.core.{Meter, MetricName}
 import kafka.metrics.KafkaMetricsGroup
-import kafka.security.auth._
-import kafka.security.authorizer.{AclAuthorizer, AuthorizerUtils}
-import kafka.utils.Logging
+import kafka.security.authorizer.AclAuthorizer
+import kafka.utils.{Logging, Pool}
+import org.apache.kafka.common.resource.ResourceType.TOPIC
 import org.apache.kafka.common.security.auth.{KafkaPrincipal, SecurityProtocol}
 import org.apache.kafka.common.utils.Utils
 import org.apache.kafka.server.authorizer.{Action, AuthorizableRequestContext, AuthorizationResult}
 
 import java.net.InetAddress
 import java.util
 import java.util.concurrent._
-import scala.collection.JavaConverters._
+import scala.jdk.CollectionConverters._
 
 /*
  * AzPubSub ACL Authorizer to handle the certificate & role based principal type
  */
-class AzPubSubAclAuthorizer extends AclAuthorizer with Logging with KafkaMetricsGroup {
+class AzPubSubAclAuthorizer extends AclAuthorizer with Logging {
   private[security] val aclAuthorizerLogger = Logger("kafka.authorizer.logger")
 
-  private val successRate: Meter = newMeter("AuthorizerSuccessPerSec", "success", TimeUnit.SECONDS)
-  private val failureRate: Meter = newMeter("AuthorizerFailurePerSec", "failure", TimeUnit.SECONDS)
-  private val disabledRate: Meter = newMeter("AuthorizerDisabledPerSec", "success", TimeUnit.SECONDS)
+  private val authorizerStats = new AuthorizerStats
 
   private var authZConfig: AuthZConfig = null
 
@@ -34,20 +32,23 @@ class AzPubSubAclAuthorizer extends AclAuthorizer with Logging with KafkaMetrics
     super.configure(javaConfigs)
   }
 
-  override def metricName(name: String, metricTags: scala.collection.Map[String, String]): MetricName = {
-    explicitMetricName("azpubsub.security", "AuthorizerMetrics", name, metricTags)
-  }
-
   override def authorize(requestContext: AuthorizableRequestContext, actions: util.List[Action]): util.List[AuthorizationResult] = {
     actions.asScala.map { action => this.authorizeAction(requestContext, action) }.asJava
   }
 
   private def authorizeAction(requestContext: AuthorizableRequestContext, action: Action): AuthorizationResult = {
     val resource = action.resourcePattern
-    if (resource.resourceType == Topic && authZConfig.isDisabled(resource.name)) {
+    val sessionPrincipal = requestContext.principal
+    var principalName = sessionPrincipal.getName
+    if (classOf[AzPubSubPrincipal] == sessionPrincipal.getClass) {
+      val principal = sessionPrincipal.asInstanceOf[AzPubSubPrincipal]
+      principalName = principal.getPrincipalName
+    }
+
+    if (resource.resourceType == TOPIC && authZConfig.isDisabled(resource.name)) {
       aclAuthorizerLogger.debug(s"AuthZ is disabled for resource: $resource")
-      successRate.mark()
-      disabledRate.mark()
+      authorizerStats.allStats(action, principalName).successRate.mark()
+      authorizerStats.allStats(action, principalName).disabledRate.mark()
       return AuthorizationResult.ALLOWED
     }
 
@@ -64,23 +65,92 @@ class AzPubSubAclAuthorizer extends AclAuthorizer with Logging with KafkaMetrics
       }
     }
 
-    val sessionPrincipal = requestContext.principal
     if (classOf[AzPubSubPrincipal] == sessionPrincipal.getClass) {
       val principal = sessionPrincipal.asInstanceOf[AzPubSubPrincipal]
       for (role <- principal.getRoles.asScala) {
         val claimPrincipal = new KafkaPrincipal(principal.getPrincipalType(), role)
         val claimRequestContext = getClaimRequestContext(requestContext, claimPrincipal)
         if (super.authorize(claimRequestContext, List(action).asJava).asScala.head == AuthorizationResult.ALLOWED) {
-          successRate.mark()
+          authorizerStats.allStats(action, claimPrincipal.getName).successRate.mark()
           return AuthorizationResult.ALLOWED
         }
       }
     } else if (super.authorize(requestContext, List(action).asJava).asScala.head == AuthorizationResult.ALLOWED) {
-      successRate.mark()
+      authorizerStats.allStats(action, principalName).successRate.mark()
       return AuthorizationResult.ALLOWED
     }
 
-    failureRate.mark()
+    authorizerStats.allStats(action, principalName).failureRate.mark()
     return AuthorizationResult.DENIED
   }
 }
+
+class AuthorizerMetrics(tags: scala.collection.Map[String, String]) extends KafkaMetricsGroup {
+
+  case class MeterWrapper(metricType: String, eventType: String) {
+    @volatile private var lazyMeter: Meter = _
+    private val meterLock = new Object
+
+    def meter(): Meter = {
+      var meter = lazyMeter
+      if (meter == null) {
+        meterLock synchronized {
+          meter = lazyMeter
+          if (meter == null) {
+            meter = newMeter(metricType, eventType, TimeUnit.SECONDS, tags)
+            lazyMeter = meter
+          }
+        }
+      }
+      meter
+    }
+
+    if (tags.isEmpty) // greedily initialize the general topic metrics
+      meter()
+  }
+
+  // an internal map for "lazy initialization" of certain metrics
+  private val metricTypeMap = new Pool[String, MeterWrapper]
+  metricTypeMap.putAll(Map(
+    AuthorizerStats.SuccessPerSec -> MeterWrapper(AuthorizerStats.SuccessPerSec, "success"),
+    AuthorizerStats.FailurePerSec -> MeterWrapper(AuthorizerStats.FailurePerSec, "failure"),
+    AuthorizerStats.DisabledPerSec -> MeterWrapper(AuthorizerStats.DisabledPerSec, "success"),
+  ).asJava)
+
+  def successRate = metricTypeMap.get(AuthorizerStats.SuccessPerSec).meter()
+
+  def failureRate = metricTypeMap.get(AuthorizerStats.FailurePerSec).meter()
+
+  def disabledRate = metricTypeMap.get(AuthorizerStats.DisabledPerSec).meter()
+
+  override def metricName(name: String, metricTags: scala.collection.Map[String, String]): MetricName = {
+    explicitMetricName("azpubsub.security", "AuthorizerMetrics", name, metricTags)
+  }
+}
+
+object AuthorizerStats {
+  val SuccessPerSec = "AuthorizerSuccessPerSec"
+  val FailurePerSec = "AuthorizerFailurePerSec"
+  val DisabledPerSec = "AuthorizerDisabledPerSec"
+}
+
+class AuthorizerStats {
+  private val stats = new Pool[String, AuthorizerMetrics]
+
+  def allStats(action: Action, identity: String): AuthorizerMetrics = {
+    val resourceName = action.resourcePattern.name
+    val resourceType = action.resourcePattern.resourceType.toString
+    val operation = action.operation.toString
+
+    val identityStr = identity.replaceAll(",", "_").replaceAll("\\\\\\\\", "_").replaceAll("\\\\", "_")
+    val tags: scala.collection.Map[String, String] = Map("resource-name" -> resourceName, "resource-type" -> resourceType,
+      "operation" -> operation, "identity" -> identityStr)
+
+    val key = resourceName + resourceType + operation + identityStr
+    if (!stats.contains(key)) {
+      stats.put(key, new AuthorizerMetrics(tags))
+    }
+
+    stats.get(key)
+  }
+}
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
@@ -82,7 +82,7 @@ public static KafkaPrincipal fromString(String str) {
 
     @Override
     public String toString() {
-        return principalType + ":" + name;
+        return this.principalType + ":" + this.name;
     }
 
     @Override

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ public static KafkaPrincipal fromString(String str) {`
`82`	`82`
`83`	`83`	`@Override`
`84`	`84`	`public String toString() {`
`85`		`- return principalType + ":" + name;`
	`85`	`+ return this.principalType + ":" + this.name;`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`@Override`