New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Audit Logging] Audit logging config translation by rbac service config parser #33145
Conversation
Automated fix for refs/heads/service-config-parser
Automated fix for refs/heads/stdout-logger
Automated fix for refs/heads/service-config-parser
Automated fix for refs/heads/service-config-parser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One question, otherwise looks good.
Though I am certainly no JSON C++ expert, the code makes logical sense at least :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good overall! There are some details to address, though.
Please let me know if you have any questions. Thanks!
src/core/lib/security/authorization/grpc_authorization_engine.h
Outdated
Show resolved
Hide resolved
…o service-config-parser
src/core/lib/security/authorization/grpc_authorization_engine.h
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Feel free to merge after addressing the remaining comments.
@@ -200,7 +200,7 @@ struct RbacConfig { | |||
int action; | |||
std::map<std::string, Policy> policies; | |||
// Defaults to 0 since its json field is optional. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/0/kNone/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
EXPECT_EQ(logger_configs_.find("test_logger")->second, "{\"foo\":\"bar\"}"); | ||
const auto& loggers = | ||
parsed_rbac_config->authorization_engine(0)->audit_loggers(); | ||
ASSERT_EQ(loggers.size(), 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest writing this as:
EXPECT_THAT(
loggers
::testing::ElementsAre(
::testing::Property(&AuditLogger::name, "stdout_logger"),
::testing::Property(&AuditLogger::name, kLoggerName)));
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I had to use
EXPECT_THAT(parsed_rbac_config->authorization_engine(0)->audit_loggers(),
::testing::ElementsAre(::testing::Pointee(::testing::Property(
&AuditLogger::name, "stdout_logger")),
::testing::Pointee(::testing::Property(
&AuditLogger::name, kLoggerName))));
because the vector stores unique pointers.
…ig parser (#33145) This translates the service config from HTTP RBAC filter into the rbac policy, which is used to construct authorization engines.
…t logging (grpc#33183) This is basically the same as grpc#33145 except that the ctor `Rules()` cannot be default but have to explicitly set a default audit condition.
This translates the service config from HTTP RBAC filter into the rbac policy, which is used to construct authorization engines.