feat: add scope enforcement metrics to RBAC authorizer#19991
Closed
ThomasK33 wants to merge 1 commit into
Closed
Conversation
This was referenced Sep 26, 2025
Member
Author
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
9d9f50a to
a7dd13b
Compare
f277494 to
51502b5
Compare
a7dd13b to
8b7a31c
Compare
8b7a31c to
7725526
Compare
51502b5 to
9384a37
Compare
7725526 to
e2539b7
Compare
968cd55 to
23c8b74
Compare
e2539b7 to
3bf5bf9
Compare
bf26332 to
d817f31
Compare
fa49bdc to
d7fcc25
Compare
d7fcc25 to
c4f8c2a
Compare
b076a30 to
b020309
Compare
6ec4b94 to
d9f66ca
Compare
37cd2d3 to
807fafe
Compare
11f6a63 to
75d7b64
Compare
807fafe to
7b72854
Compare
75d7b64 to
f244193
Compare
7b72854 to
5a425af
Compare
5a425af to
e408ecf
Compare
f244193 to
2f3304e
Compare
e408ecf to
ab2a24f
Compare
2f3304e to
1dae22e
Compare
ab2a24f to
802b588
Compare
7eb739c to
dc96969
Compare
802b588 to
cb61426
Compare
This change introduces new Prometheus metrics to provide detailed insights into authorization decisions, particularly for API key scopes. These metrics help administrators understand why a request was allowed or denied by breaking down the outcome. The new metrics are: - `coderd_authz_scope_enforcement_total`: Classifies each authorization request by its outcome (e.g., scope_allow, scope_deny, allow_list_deny) and resource type. - `coderd_authz_scope_enforcement_duration_seconds`: Measures the latency of scope enforcement decisions. - `coderd_authz_scope_allowlist_miss_total`: Tracks requests denied specifically due to a resource not being in a scope's allow-list. To implement this efficiently, a new `scope_metrics` rule was added to the Rego policy. This allows the authorizer to gather detailed outcome information in a single evaluation, avoiding redundant computations. The documentation for Prometheus has been updated to include details and example queries for the new metrics.
dc96969 to
521c665
Compare
cb61426 to
06d4957
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add scope enforcement metrics to RBAC authorizer
This PR adds detailed metrics to track scope enforcement decisions in the RBAC authorizer. It helps us understand why requests are allowed or denied, particularly focusing on scope-based decisions versus role or ACL-based decisions.
The changes include:
scopeDecisionstruct to track detailed authorization outcomescoderd_authz_scope_enforcement_total- Counts requests by decision typecoderd_authz_scope_enforcement_duration_seconds- Measures latencycoderd_authz_scope_allowlist_miss_total- Tracks allow-list missesThese metrics will help us better understand authorization patterns and identify potential issues with scope configurations.