Skip to content

EXT-1423 audit trace merge stream-nb-25-1 #25948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 29, 2025
Merged

EXT-1423 audit trace merge stream-nb-25-1 #25948

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
98a9dfd
EXT-1423 added basic monitoring tests (#25538)
StekPerepolnen Sep 25, 2025
eedcc00
EXT-1423 added auth lwtrace (#25924)
StekPerepolnen Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion ydb/core/mon/audit/audit.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,11 @@ bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request)
return true;
}

void TAuditCtx::InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev) {
void TAuditCtx::InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev, bool needAudit) {
if (!(Auditable = needAudit)) {
return;
}

const auto& request = ev->Get()->Request;
const TString method(request->Method);
const TString url(request->URL.Before('?'));
Expand Down
2 changes: 1 addition & 1 deletion ydb/core/mon/audit/audit.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ enum ERequestStatus {

class TAuditCtx {
public:
void InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev);
void InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev, bool needAudit = true);
void AddAuditLogParts(const TAuditParts& parts); // TODO: pass request context instead of audit log parts
void LogAudit(ERequestStatus status, const TString& reason, NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase);
void LogOnReceived();
Expand Down
51 changes: 51 additions & 0 deletions ydb/core/mon/events_internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#pragma once

#include <ydb/core/protos/mon.pb.h>

namespace NMonitoring::NPrivate {

struct TEvMon {
enum {
EvBegin = EventSpaceBegin(NActors::TEvents::ES_PRIVATE),

EvMonitoringRequest = EvBegin,
EvMonitoringResponse,
EvRegisterHandler,
EvMonitoringCancelRequest,
EvCleanupProxy,

End
};

static_assert(End < EventSpaceEnd(NActors::TEvents::ES_PRIVATE), "expect End < EventSpaceEnd(TEvents::ES_PRIVATE)");

struct TEvMonitoringRequest : NActors::TEventPB<TEvMonitoringRequest, NKikimrMonProto::TEvMonitoringRequest, EvMonitoringRequest> {
TEvMonitoringRequest() = default;
};

struct TEvMonitoringResponse : NActors::TEventPB<TEvMonitoringResponse, NKikimrMonProto::TEvMonitoringResponse, EvMonitoringResponse> {
TEvMonitoringResponse() = default;
};

struct TEvRegisterHandler : NActors::TEventLocal<TEvRegisterHandler, EvRegisterHandler> {
NActors::TMon::TRegisterHandlerFields Fields;

TEvRegisterHandler(const NActors::TMon::TRegisterHandlerFields& fields)
: Fields(fields)
{}
};

struct TEvMonitoringCancelRequest : NActors::TEventPB<TEvMonitoringCancelRequest, NKikimrMonProto::TEvMonitoringCancelRequest, EvMonitoringCancelRequest> {
TEvMonitoringCancelRequest() = default;
};

struct TEvCleanupProxy : NActors::TEventLocal<TEvCleanupProxy, EvCleanupProxy> {
TString Address;

TEvCleanupProxy(const TString& address)
: Address(address)
{}
};
};

} // namespace NMonitoring::NPrivate
96 changes: 47 additions & 49 deletions ydb/core/mon/mon.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#include "mon.h"
#include "mon_impl.h"
#include "events_internal.h"
#include "counters_adapter_impl.h"

#include <ydb/core/base/appdata.h>
Expand Down Expand Up @@ -32,51 +33,10 @@

namespace NActors {

struct TEvMon {
enum {
EvMonitoringRequest = NActors::NMon::HttpInfo + 10,
EvMonitoringResponse,
EvRegisterHandler,
EvMonitoringCancelRequest,
EvCleanupProxy,
End
};

static_assert(EvMonitoringRequest > NMon::End, "expect EvMonitoringRequest > NMon::End");
static_assert(End < EventSpaceEnd(NActors::TEvents::ES_MON), "expect End < EventSpaceEnd(NActors::TEvents::ES_MON)");

struct TEvMonitoringRequest : TEventPB<TEvMonitoringRequest, NKikimrMonProto::TEvMonitoringRequest, EvMonitoringRequest> {
TEvMonitoringRequest() = default;
};

struct TEvMonitoringResponse : TEventPB<TEvMonitoringResponse, NKikimrMonProto::TEvMonitoringResponse, EvMonitoringResponse> {
TEvMonitoringResponse() = default;
};

struct TEvRegisterHandler : TEventLocal<TEvRegisterHandler, EvRegisterHandler> {
TMon::TRegisterHandlerFields Fields;

TEvRegisterHandler(const TMon::TRegisterHandlerFields& fields)
: Fields(fields)
{}
};

struct TEvMonitoringCancelRequest : TEventPB<TEvMonitoringCancelRequest, NKikimrMonProto::TEvMonitoringCancelRequest, EvMonitoringCancelRequest> {
TEvMonitoringCancelRequest() = default;
};

struct TEvCleanupProxy : TEventLocal<TEvCleanupProxy, EvCleanupProxy> {
TString Address;

TEvCleanupProxy(const TString& address)
: Address(address)
{}
};
};

namespace {

using namespace NKikimr;
using namespace NMonitoring::NPrivate;

bool HasJsonContent(NHttp::THttpIncomingRequest* request) {
if (request->Method == "POST") {
Expand Down Expand Up @@ -583,18 +543,20 @@ class THttpMonLegacyIndexRequest : public TActorBootstrapped<THttpMonLegacyIndex
NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr Event;
THttpMonRequestContainer Container;
NMonitoring::NAudit::TAuditCtx AuditCtx;
bool NeedAudit;

THttpMonLegacyIndexRequest(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, NMonitoring::IMonPage* index)
THttpMonLegacyIndexRequest(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, NMonitoring::IMonPage* index, bool needAudit = true)
: Event(std::move(event))
, Container(Event->Get()->Request, index)
, NeedAudit(needAudit)
{}

static constexpr NKikimrServices::TActivity::EType ActorActivityType() {
return NKikimrServices::TActivity::HTTP_MON_LEGACY_INDEX_REQUEST;
}

void Bootstrap() {
AuditCtx.InitAudit(Event);
AuditCtx.InitAudit(Event, NeedAudit);
ProcessRequest();
}

Expand Down Expand Up @@ -1249,12 +1211,14 @@ class THttpMonAuthorizedActorRequest : public TActorBootstrapped<THttpMonAuthori
// receives everyhing not related to actor communcation, converts them to request-actors
class THttpMonIndexService : public TActor<THttpMonIndexService> {
public:
THttpMonIndexService(const TActorId& httpProxyActorId, TIntrusivePtr<NMonitoring::TIndexMonPage> indexMonPage, TMon::TRequestAuthorizer authorizer, const TString& redirectRoot = {})
THttpMonIndexService(const TActorId& httpProxyActorId, TIntrusivePtr<NMonitoring::TIndexMonPage> indexMonPage,
TMon::TRequestAuthorizer authorizer, const TString& redirectRoot = {}, bool needMonLegacyAudit = true)
: TActor(&THttpMonIndexService::StateWork)
, HttpProxyActorId(httpProxyActorId)
, IndexMonPage(std::move(indexMonPage))
, Authorizer(std::move(authorizer))
, RedirectRoot(redirectRoot)
, NeedMonLegacyAudit(needMonLegacyAudit)
{
}

Expand Down Expand Up @@ -1349,7 +1313,7 @@ class THttpMonIndexService : public TActor<THttpMonIndexService> {
}
}

Register(new THttpMonLegacyIndexRequest(std::move(ev), IndexMonPage.Get()));
Register(new THttpMonLegacyIndexRequest(std::move(ev), IndexMonPage.Get(), NeedMonLegacyAudit));
}

void Handle(TEvMon::TEvRegisterHandler::TPtr& ev) {
Expand All @@ -1371,6 +1335,7 @@ class THttpMonIndexService : public TActor<THttpMonIndexService> {
std::unordered_map<TString, TMon::TRegisterHandlerFields> Handlers;
TMon::TRequestAuthorizer Authorizer;
TString RedirectRoot;
bool NeedMonLegacyAudit;
};


Expand All @@ -1380,6 +1345,36 @@ TMon::TMon(TConfig config)
{
}

void TMon::RegisterLwtrace() {
NLwTraceMonPage::RegisterPages(IndexMonPage.Get());
NLwTraceMonPage::ProbeRegistry().AddProbesList(LWTRACE_GET_PROBES(ACTORLIB_PROVIDER));
NLwTraceMonPage::ProbeRegistry().AddProbesList(LWTRACE_GET_PROBES(MONITORING_PROVIDER));

TVector<TString> monitoringAllowedSIDs;
NKikimr::TAppData* appData = ActorSystem->AppData<NKikimr::TAppData>();
if (appData) {
{
const auto& protoAllowedSIDs = appData->DomainsConfig.GetSecurityConfig().GetMonitoringAllowedSIDs();
for (const auto& sid : protoAllowedSIDs) {
monitoringAllowedSIDs.emplace_back(sid);
}
}
{
const auto& protoAllowedSIDs = appData->DomainsConfig.GetSecurityConfig().GetAdministrationAllowedSIDs();
for (const auto& sid : protoAllowedSIDs) {
monitoringAllowedSIDs.emplace_back(sid);
}
}
}

RegisterActorHandler({
.Path = "/trace",
.Handler = HttpAuthMonServiceActorId,
.UseAuth = true,
.AllowedSIDs = monitoringAllowedSIDs,
});
}

std::future<void> TMon::Start(TActorSystem* actorSystem) {
Y_ABORT_UNLESS(actorSystem);
TGuard<TMutex> g(Mutex);
Expand All @@ -1395,9 +1390,6 @@ std::future<void> TMon::Start(TActorSystem* actorSystem) {
Register(new NMonitoring::TBootstrapFontsSvgMonPage);
Register(new NMonitoring::TBootstrapFontsTtfMonPage);
Register(new NMonitoring::TBootstrapFontsWoffMonPage);
NLwTraceMonPage::RegisterPages(IndexMonPage.Get());
NLwTraceMonPage::ProbeRegistry().AddProbesList(LWTRACE_GET_PROBES(ACTORLIB_PROVIDER));
NLwTraceMonPage::ProbeRegistry().AddProbesList(LWTRACE_GET_PROBES(MONITORING_PROVIDER));
if (ActorSystem->AppData<NKikimr::TAppData>()) {
auto metricsRoot = NKikimr::GetServiceCounters(ActorSystem->AppData<NKikimr::TAppData>()->Counters, "utils")->GetSubgroup("subsystem", "mon");
Metrics = std::make_shared<TMetricFactoryForDynamicCounters>(std::move(metricsRoot));
Expand All @@ -1413,6 +1405,11 @@ std::future<void> TMon::Start(TActorSystem* actorSystem) {
new THttpMonIndexService(HttpProxyActorId, IndexMonPage, Config.Authorizer, Config.RedirectMainPageTo),
TMailboxType::ReadAsFilled,
executorPool);
HttpAuthMonServiceActorId = ActorSystem->Register(
new THttpMonIndexService(HttpMonServiceActorId, IndexMonPage, Config.Authorizer, Config.RedirectMainPageTo, false),
TMailboxType::ReadAsFilled,
executorPool);
RegisterLwtrace();
auto nodeProxyActorId = ActorSystem->Register(
new THttpMonServiceNodeProxy(HttpProxyActorId),
TMailboxType::ReadAsFilled,
Expand Down Expand Up @@ -1464,6 +1461,7 @@ void TMon::Stop() {
}
ActorSystem->Send(NodeProxyServiceActorId, new TEvents::TEvPoisonPill);
ActorSystem->Send(HttpMonServiceActorId, new TEvents::TEvPoisonPill);
ActorSystem->Send(HttpAuthMonServiceActorId, new TEvents::TEvPoisonPill);
ActorSystem->Send(HttpProxyActorId, new TEvents::TEvPoisonPill);
ActorSystem = nullptr;
}
Expand Down
2 changes: 2 additions & 0 deletions ydb/core/mon/mon.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ class TMon {

void Register(NMonitoring::IMonPage* page);
NMonitoring::TIndexMonPage* RegisterIndexPage(const TString& path, const TString& title);
void RegisterLwtrace();

struct TRegisterActorPageFields {
TString Title;
Expand Down Expand Up @@ -97,6 +98,7 @@ class TMon {
TActorSystem* ActorSystem = {};
TActorId HttpProxyActorId;
TActorId HttpMonServiceActorId;
TActorId HttpAuthMonServiceActorId;
TActorId NodeProxyServiceActorId;

struct TActorMonPageInfo {
Expand Down
Loading
Loading