diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-15 17:34:46 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-16 11:28:10 +0100 |
commit | 3527d1bb4128662e5aafd92ec98c6c0b629f5e3e (patch) | |
tree | 98fd5e6cc1596cddb72d98956cfd48b466d2dc24 | |
parent | 02013ebda915ec943f0d83ff1ca70b67852e534e (diff) |
Add metrics for capability checks
5 files changed, 57 insertions, 3 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/admin/monitoring/VespaMetricSet.java b/config-model/src/main/java/com/yahoo/vespa/model/admin/monitoring/VespaMetricSet.java index d83fd678af2..84b02dec20b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/admin/monitoring/VespaMetricSet.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/admin/monitoring/VespaMetricSet.java @@ -10,7 +10,6 @@ import com.yahoo.metrics.Suffix; import java.util.Collections; import java.util.EnumSet; import java.util.LinkedHashSet; -import java.util.List; import java.util.Set; import static com.yahoo.metrics.Suffix.average; @@ -18,10 +17,10 @@ import static com.yahoo.metrics.Suffix.count; import static com.yahoo.metrics.Suffix.last; import static com.yahoo.metrics.Suffix.max; import static com.yahoo.metrics.Suffix.min; -import static com.yahoo.metrics.Suffix.sum; -import static com.yahoo.metrics.Suffix.rate; import static com.yahoo.metrics.Suffix.ninety_five_percentile; import static com.yahoo.metrics.Suffix.ninety_nine_percentile; +import static com.yahoo.metrics.Suffix.rate; +import static com.yahoo.metrics.Suffix.sum; import static com.yahoo.vespa.model.admin.monitoring.DefaultVespaMetrics.defaultVespaMetricSet; import static java.util.Collections.singleton; @@ -237,6 +236,9 @@ public class VespaMetricSet { addMetric(metrics, ContainerMetrics.SERVER_THREAD_POOL_SIZE, EnumSet.of(max, last)); // TODO: Remove on Vespa 9. Use jdisc.thread_pool.rejected_tasks. addMetric(metrics, ContainerMetrics.SERVER_ACTIVE_THREADS, EnumSet.of(min, max, sum, count, last)); // TODO: Remove on Vespa 9. Use jdisc.thread_pool.rejected_tasks. + addMetric(metrics, ContainerMetrics.JDISC_TLS_CAPABILITIES_SUCCEEDED.rate()); + addMetric(metrics, ContainerMetrics.JDISC_TLS_CAPABILITIES_FAILED.rate()); + return metrics; } diff --git a/container-core/src/main/java/com/yahoo/metrics/ContainerMetrics.java b/container-core/src/main/java/com/yahoo/metrics/ContainerMetrics.java index b96f65c4d56..1c9b9acae52 100644 --- a/container-core/src/main/java/com/yahoo/metrics/ContainerMetrics.java +++ b/container-core/src/main/java/com/yahoo/metrics/ContainerMetrics.java @@ -60,6 +60,9 @@ public enum ContainerMetrics implements VespaMetrics { JDISC_HTTP_FILTERING_RESPONSE_UNHANDLED("jdisc.http.filtering.response.unhandled", Unit.REQUEST, "Number of filtering responses unhandled"), JDISC_HTTP_HANDLER_UNHANDLED_EXCEPTIONS("jdisc.http.handler.unhandled_exceptions", Unit.REQUEST, "Number of unhandled exceptions in handler"), + JDISC_TLS_CAPABILITIES_SUCCEEDED("jdisc.tls.capabilities.succeeded", Unit.OPERATION, "Number of TLS capability checks succeeded"), + JDISC_TLS_CAPABILITIES_FAILED("jdisc.tls.capabilities.failed", Unit.OPERATION, "Number of TLS capability checks failed"), + JETTY_THREADPOOL_MAX_THREADS("jdisc.http.jetty.threadpool.thread.max", Unit.THREAD, "Configured maximum number of threads"), JETTY_THREADPOOL_MIN_THREADS("jdisc.http.jetty.threadpool.thread.min", Unit.THREAD, "Configured minimum number of threads"), JETTY_THREADPOOL_RESERVED_THREADS("jdisc.http.jetty.threadpool.thread.reserved", Unit.THREAD, "Configured number of reserved threads or -1 for heuristic"), diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/metric/MetricUpdater.java b/container-disc/src/main/java/com/yahoo/container/jdisc/metric/MetricUpdater.java index ae8e2bbbe48..e4e5dcf660c 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/metric/MetricUpdater.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/metric/MetricUpdater.java @@ -7,6 +7,7 @@ import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.statistics.ContainerWatchdogMetrics; import com.yahoo.metrics.ContainerMetrics; import com.yahoo.nativec.NativeHeap; +import com.yahoo.security.tls.TlsMetrics; import java.lang.management.BufferPoolMXBean; import java.lang.management.ManagementFactory; @@ -103,6 +104,7 @@ public class MetricUpdater extends AbstractComponent { private final GarbageCollectionMetrics garbageCollectionMetrics; private final JrtMetrics jrtMetrics; private final ThreadMXBean threadMXBean = ManagementFactory.getThreadMXBean(); + private TlsMetrics.Snapshot tlsMetricsSnapshot = TlsMetrics.Snapshot.EMPTY; public UpdaterTask(Metric metric, ContainerWatchdogMetrics containerWatchdogMetrics) { this.metric = metric; @@ -142,6 +144,14 @@ public class MetricUpdater extends AbstractComponent { metric.set("jdisc.jvm", Runtime.version().feature(), ctx); } + private void tlsMetrics() { + var newSnapshot = TlsMetrics.instance().snapshot(); + var diff = newSnapshot.changesSince(tlsMetricsSnapshot); + metric.set(ContainerMetrics.JDISC_TLS_CAPABILITIES_SUCCEEDED.baseName(), diff.capabilitiesSucceeded(), null); + metric.set(ContainerMetrics.JDISC_TLS_CAPABILITIES_FAILED.baseName(), diff.capabilitiesFailed(), null); + tlsMetricsSnapshot = newSnapshot; + } + @Override public void run() { long freeMemory = runtime.freeMemory(); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java index f231e8429ce..d7ea93955af 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -49,6 +49,7 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, if (capabilityMode == DISABLE) return; boolean hasCapabilities = capabilities.has(requiredCapabilities); if (!hasCapabilities) { + TlsMetrics.instance().incrementCapabilitiesFailed(); String msg = createPermissionDeniedErrorMessage(requiredCapabilities, action, resource, peer); if (capabilityMode == LOG_ONLY) { log.info(msg); @@ -57,6 +58,8 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain, log.fine(msg); throw new MissingCapabilitiesException(msg); } + } else { + TlsMetrics.instance().incrementCapabilitiesSucceeded(); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java new file mode 100644 index 00000000000..1e9561a5b82 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java @@ -0,0 +1,36 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.security.tls; + +import java.util.concurrent.atomic.AtomicLong; + +/** + * @author bjorncs + */ +public class TlsMetrics { + private static final TlsMetrics instance = new TlsMetrics(); + + private final AtomicLong capabilitiesSucceeded = new AtomicLong(0); + private final AtomicLong capabilitiesFailed = new AtomicLong(0); + + private TlsMetrics() {} + + public static TlsMetrics instance() { return instance; } + + void incrementCapabilitiesSucceeded() { capabilitiesSucceeded.incrementAndGet(); } + void incrementCapabilitiesFailed() { capabilitiesFailed.incrementAndGet(); } + public Snapshot snapshot() { return new Snapshot(this); } + + public record Snapshot(long capabilitiesSucceeded, long capabilitiesFailed) { + public static final Snapshot EMPTY = new Snapshot(0, 0); + private Snapshot(TlsMetrics m) { this(m.capabilitiesSucceeded.get(), m.capabilitiesFailed.get()); } + public Diff changesSince(Snapshot previous) { return new Diff(this, previous); } + } + + public record Diff(long capabilitiesSucceeded, long capabilitiesFailed) { + private Diff(Snapshot current, Snapshot previous) { + this(current.capabilitiesSucceeded - previous.capabilitiesSucceeded, + current.capabilitiesFailed - previous.capabilitiesFailed); + } + } +} |