Skip to content

rbac: add counters to config dump #1536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

rbac: add counters to config dump #1536

wants to merge 1 commit into from

Conversation

howardjohn
Copy link
Member 

rbac                    time:   [16.109 ms 16.223 ms 16.345 ms]
                        change: [-7.9751% -1.4256% +3.8734%] (p = 0.71 > 0.05)
                        No change in performance detected.

No perf impact as expected

This gives us

NAMESPACE    POLICY NAME                   ACTION SCOPE            HITS MISSES
default      httpbin                       Allow  Namespace        7    3
istio-system istio_converted_static_strict Deny   WorkloadSelector 2    10

@howardjohn howardjohn requested a review from a team as a code owner April 21, 2025 17:30
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 21, 2025
howardjohn added a commit to howardjohn/istio that referenced this pull request Apr 21, 2025
@howardjohn
istioctl ztunnel: add counters to policies
cfa2cde 
Goes with istio/ztunnel#1536

```
NAMESPACE    POLICY NAME                   ACTION SCOPE            HITS MISSES
default      httpbin                       Allow  Namespace        7    3
istio-system istio_converted_static_strict Deny   WorkloadSelector 2    10
```
@howardjohn howardjohn mentioned this pull request Apr 21, 2025
Draft
ilrudie
ilrudie reviewed Apr 21, 2025
View reviewed changes
src/rbac.rs
Comment on lines +51 to +54
pub struct AuthzCounter {
hits: AtomicU64,
misses: AtomicU64,
}
Copy link
Contributor

@ilrudie ilrudie Apr 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hit and miss need to be understood relative to the kind of policy to make sense. hit a deny == denied. hit an allow == allowed. Would users be better served with "allows" and "denies" which inform them of a concrete result taken in association with this policy?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I worry an allow policy with deny: 123 looks alarming. Its not really a deny, its more like it failed to allow

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if a policy doesn't match, miss/deny will be incremented, even if another policy later on allow or denies it?

Copy link
Contributor

@Stevenjin8 Stevenjin8 Apr 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also wonder if the order of operations might cause the stats to be confusing. For example, if there are multiple deny policies, but only one of them matches, then the order in which the deny policies are evaluated will affect the stats (assuming there is some short circuiting), which seems weird.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a better say of saying this is, why do we need miss when we can just do total_requests - hit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is no total request counter for a policy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean total request counter across for ztunnel in general

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That doesn't exist is the first issue. We could add it but it doesn't help the use case.
Miss means "policy applies to the request but does not match"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok then only my second comment then: This doesn't seem to take into account short circuiting. Just because a policy could apply, short circuiting might mean that a counter doesn't get incremented, which might be the intended behavior

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack, will need to fix that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilrudie ilrudie ilrudie left review comments

@Stevenjin8 Stevenjin8 Stevenjin8 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@howardjohn @ilrudie @Stevenjin8 @istio-testing