- Notifications
You must be signed in to change notification settings - Fork1k
feat: add scope enforcement metrics to RBAC authorizer#19991
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Closed
ThomasK33 wants to merge1 commit intothomask33/09-26-add_token_scope_support_in_clifromthomask33/09-26-add_detailed_scope_auth_metrics
Closed
+397 −27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This was referencedSep 26, 2025
MemberAuthor
ThomasK33 commentedSep 26, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
This stack of pull requests is managed byGraphite. Learn more aboutstacking. |
9d9f50a toa7dd13bComparef277494 to51502b5Comparea7dd13b to8b7a31cCompare8b7a31c to7725526Compare51502b5 to9384a37Compare7725526 toe2539b7Compare968cd55 to23c8b74Comparee2539b7 to3bf5bf9Comparebf26332 tod817f31Comparefa49bdc tod7fcc25Compared7fcc25 toc4f8c2aCompareb076a30 tob020309Compare6ec4b94 tod9f66caCompare37cd2d3 to807fafeCompare11f6a63 to75d7b64Compare807fafe to7b72854Compare75d7b64 tof244193Compare7b72854 to5a425afCompare5a425af toe408ecfComparef244193 to2f3304eComparee408ecf toab2a24fCompare2f3304e to1dae22eCompareab2a24f to802b588Compare7eb739c todc96969Compare802b588 tocb61426CompareThis change introduces new Prometheus metrics to provide detailed insightsinto authorization decisions, particularly for API key scopes. Thesemetrics help administrators understand why a request was allowed ordenied by breaking down the outcome.The new metrics are:- `coderd_authz_scope_enforcement_total`: Classifies each authorization request by its outcome (e.g., scope_allow, scope_deny, allow_list_deny) and resource type.- `coderd_authz_scope_enforcement_duration_seconds`: Measures the latency of scope enforcement decisions.- `coderd_authz_scope_allowlist_miss_total`: Tracks requests denied specifically due to a resource not being in a scope's allow-list.To implement this efficiently, a new `scope_metrics` rule was added tothe Rego policy. This allows the authorizer to gather detailed outcomeinformation in a single evaluation, avoiding redundant computations.The documentation for Prometheus has been updated to include details andexample queries for the new metrics.
dc96969 to521c665Comparecb61426 to06d4957CompareSign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add scope enforcement metrics to RBAC authorizer
This PR adds detailed metrics to track scope enforcement decisions in the RBAC authorizer. It helps us understand why requests are allowed or denied, particularly focusing on scope-based decisions versus role or ACL-based decisions.
The changes include:
scopeDecisionstruct to track detailed authorization outcomescoderd_authz_scope_enforcement_total- Counts requests by decision typecoderd_authz_scope_enforcement_duration_seconds- Measures latencycoderd_authz_scope_allowlist_miss_total- Tracks allow-list missesThese metrics will help us better understand authorization patterns and identify potential issues with scope configurations.