Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] fix: trim large events in Athena querier #35483

Merged
merged 3 commits into from Dec 7, 2023
Merged

[v14] fix: trim large events in Athena querier #35483

merged 3 commits into from Dec 7, 2023

Conversation

nklaassen
Copy link
Contributor

Backport #35402 to branch/v14

changelog: fix querying of large audit events with Athena backend

nklaassen and others added 3 commits December 7, 2023 02:12
@nklaassen
fix: trim large events in Athena querier
6f0ad65 
Fixes #35161

Large events queried from the Athena audit backend will now be trimmed
before they are stored and before they are returned from a query
according to the existing TrimToMaxSize implementations for each event
type already used by the Dynamo and File backends.

The other backends typically trim the event before storing it, for
Dynamo this is due to the 400 KB item size limit, for the file backend
it's due to the 64 KiB bufio.MaxScanTokenSize.

There is no hard limit to events stored in Parquet files in S3, but
we've been using a 2 GiB limit in the publisher so far.
With this change we will attempt to trim events to 2 GiB before writing
them (if we haven't already run out of memory) instead of just failing.

We've also been using a 1 MiB limit in the querier and just returning an
empty result when an event larger than that is encountered.
With this change we will attempt to trim the event to 1MiB before
returning it.
The 1 MiB limit ultimately stems from the 4MB max gRPC message size.

We could just trim to 1 MiB in the publisher, but I'd prefer to preserve
as much of the event data as possible in case we improve the querying
story for large events in the future (and in case the user wants to
query the events directly from S3).
@nklaassen @rosstimothy
use trace.Errorf
2a08e42 
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
@nklaassen
fix parens
b0e64cc
@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log backport size/md labels Dec 7, 2023
@rosstimothy rosstimothy added this pull request to the merge queue Dec 7, 2023
Merged via the queue into branch/v14 with commit 926e4be Dec 7, 2023
26 checks passed
@rosstimothy rosstimothy deleted the bot/backport-35402-branch/v14 branch December 7, 2023 14:48
@BrewTestBot BrewTestBot mentioned this pull request Dec 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdwn mdwn mdwn approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log backport size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nklaassen @mdwn @rosstimothy