- Notifications
You must be signed in to change notification settings - Fork1k
feat: add scope enforcement metrics to RBAC authorizer#19991
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Draft
ThomasK33 wants to merge1 commit intothomask33/09-26-add_token_scope_support_in_cliChoose a base branch
base:thomask33/09-26-add_token_scope_support_in_cli
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Draft
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This was referencedSep 26, 2025
MemberAuthor
ThomasK33 commentedSep 26, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
This stack of pull requests is managed byGraphite. Learn more aboutstacking. |
9d9f50a toa7dd13bComparef277494 to51502b5Comparea7dd13b to8b7a31cCompare8b7a31c to7725526Compare51502b5 to9384a37Compare7725526 toe2539b7Compare968cd55 to23c8b74Comparee2539b7 to3bf5bf9Compare68d44a5 to364fa3fCompareEmyrk requested changesOct 1, 2025
Member
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I am hesitant to add a second rego query into ourauthorize.
Authz is used so much, we really need to be careful.
Before
BenchmarkRBACAuthorizeGroups/NoRolesGroupACL-16 28518 40845 ns/opBenchmarkRBACAuthorizeGroups/AdminGroupACL-16 6112 195361 ns/opBenchmarkRBACAuthorizeGroups/OrgAdminGroupACL-16 5356 234469 ns/opBenchmarkRBACAuthorizeGroups/OrgMemberGroupACL-16 10000 100159 ns/opBenchmarkRBACAuthorizeGroups/ManyRolesGroupACL-16 2281 499800 ns/opBenchmarkRBACAuthorizeGroups/ManyRolesCachedSubjectGroupACL-16 3020 371300 ns/opBenchmarkRBACAuthorizeGroups/AdminWithScopeGroupACL-16 5926 195747 ns/opBenchmarkRBACAuthorizeGroups/StaticRolesGroupACL-16 6212 196050 ns/opBenchmarkRBACAuthorizeGroups/StaticRolesWithCacheGroupACL-16 6204 192148 ns/opAfter
BenchmarkRBACAuthorizeGroups/NoRolesGroupACL-16 9763 110225 ns/opBenchmarkRBACAuthorizeGroups/AdminGroupACL-16 2893 424697 ns/opBenchmarkRBACAuthorizeGroups/OrgAdminGroupACL-16 2864 431330 ns/opBenchmarkRBACAuthorizeGroups/OrgMemberGroupACL-16 5791 208606 ns/opBenchmarkRBACAuthorizeGroups/ManyRolesGroupACL-16 1299 925884 ns/opBenchmarkRBACAuthorizeGroups/ManyRolesCachedSubjectGroupACL-16 1452 791876 ns/opBenchmarkRBACAuthorizeGroups/AdminWithScopeGroupACL-16 2835 410499 ns/opBenchmarkRBACAuthorizeGroups/StaticRolesGroupACL-16 2750 426986 ns/opBenchmarkRBACAuthorizeGroups/StaticRolesWithCacheGroupACL-16 2754 423130 ns/opBenchmarks fixed here:#20097
364fa3f tofa49bdcComparebf26332 tod817f31Comparefa49bdc tod7fcc25Compared7fcc25 toc4f8c2aCompareb076a30 tob020309Compare6ec4b94 tod9f66caCompare37cd2d3 to807fafeCompare11f6a63 to75d7b64Compare807fafe to7b72854Compare75d7b64 tof244193Compare7b72854 to5a425afCompare5a425af toe408ecfComparef244193 to2f3304eComparee408ecf toab2a24fCompare2f3304e to1dae22eCompareThis change introduces new Prometheus metrics to provide detailed insightsinto authorization decisions, particularly for API key scopes. Thesemetrics help administrators understand why a request was allowed ordenied by breaking down the outcome.The new metrics are:- `coderd_authz_scope_enforcement_total`: Classifies each authorization request by its outcome (e.g., scope_allow, scope_deny, allow_list_deny) and resource type.- `coderd_authz_scope_enforcement_duration_seconds`: Measures the latency of scope enforcement decisions.- `coderd_authz_scope_allowlist_miss_total`: Tracks requests denied specifically due to a resource not being in a scope's allow-list.To implement this efficiently, a new `scope_metrics` rule was added tothe Rego policy. This allows the authorizer to gather detailed outcomeinformation in a single evaluation, avoiding redundant computations.The documentation for Prometheus has been updated to include details andexample queries for the new metrics.
ab2a24f to802b588Compare1dae22e to7eb739cCompareSign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add scope enforcement metrics to RBAC authorizer
This PR adds detailed metrics to track scope enforcement decisions in the RBAC authorizer. It helps us understand why requests are allowed or denied, particularly focusing on scope-based decisions versus role or ACL-based decisions.
The changes include:
scopeDecisionstruct to track detailed authorization outcomescoderd_authz_scope_enforcement_total- Counts requests by decision typecoderd_authz_scope_enforcement_duration_seconds- Measures latencycoderd_authz_scope_allowlist_miss_total- Tracks allow-list missesThese metrics will help us better understand authorization patterns and identify potential issues with scope configurations.