lifecycle: cleanup prometheus (#2972)

* remove high cardinality labels Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * retry worker number for prometheus multiprocess id Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * revert to pid, use subdirectories Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup more Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * use worker id based off of https://github.com/benoitc/gunicorn/issues/1352 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix missing app label Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * tests/e2e: remove static names Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-29 21:45:25 +02:00
parent 9f2529c886
commit 3eb466ff4b
19 changed files with 129 additions and 148 deletions
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -23,11 +23,11 @@ var (
 	FlowTimingGet = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_flow_timing_get",
 		Help: "Duration it took to get a challenge",
-	}, []string{"stage", "flow", "client", "user"})
+	}, []string{"stage", "flow"})
 	FlowTimingPost = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_flow_timing_post",
 		Help: "Duration it took to send a challenge",
-	}, []string{"stage", "flow", "client", "user"})
+	}, []string{"stage", "flow"})
 )

 type FlowExecutor struct {
@ -163,10 +163,8 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
 	gcsp.SetTag("authentik.flow.component", ch.GetComponent())
 	gcsp.Finish()
 	FlowTimingGet.With(prometheus.Labels{
-		"stage":  ch.GetComponent(),
-		"flow":   fe.flowSlug,
-		"client": fe.cip,
-		"user":   fe.Answers[StageIdentification],
+		"stage": ch.GetComponent(),
+		"flow":  fe.flowSlug,
 	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)))

 	// Resole challenge
@ -230,10 +228,8 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
 		}
 	}
 	FlowTimingPost.With(prometheus.Labels{
-		"stage":  ch.GetComponent(),
-		"flow":   fe.flowSlug,
-		"client": fe.cip,
-		"user":   fe.Answers[StageIdentification],
+		"stage": ch.GetComponent(),
+		"flow":  fe.flowSlug,
 	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)))

 	if depth >= 10 {
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@ -9,20 +9,17 @@ import (
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ldap/bind"
 	"goauthentik.io/internal/outpost/ldap/metrics"
-	"goauthentik.io/internal/utils"
 )

 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
 	req, span := bind.NewRequest(bindDN, bindPW, conn)
-
+	selectedApp := ""
 	defer func() {
 		span.Finish()
 		metrics.Requests.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "bind",
-			"filter":       "",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
 	}()
@ -39,6 +36,7 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 	for _, instance := range ls.providers {
 		username, err := instance.binder.GetUsername(bindDN)
 		if err == nil {
+			selectedApp = instance.GetAppSlug()
 			return instance.binder.Bind(username, req)
 		} else {
 			req.Log().WithError(err).Debug("Username not for instance")
@ -49,8 +47,7 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		"outpost_name": ls.ac.Outpost.Name,
 		"type":         "bind",
 		"reason":       "no_provider",
-		"dn":           bindDN,
-		"client":       utils.GetIP(conn.RemoteAddr()),
+		"app":          "",
 	}).Inc()
 	return ldap.LDAPResultOperationsError, nil
 }
--- a/internal/outpost/ldap/bind/direct/direct.go
+++ b/internal/outpost/ldap/bind/direct/direct.go
@ -75,8 +75,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "invalid_credentials",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
@ -86,8 +85,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "flow_error",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultOperationsError, nil
@ -100,8 +98,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_denied",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
@ -110,8 +107,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_check_fail",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
@ -125,8 +121,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "user_info_fail",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
--- a/internal/outpost/ldap/metrics/metrics.go
+++ b/internal/outpost/ldap/metrics/metrics.go
@ -15,11 +15,11 @@ var (
 	Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_ldap_requests",
 		Help: "The total number of configured providers",
-	}, []string{"outpost_name", "type", "dn", "filter", "client"})
+	}, []string{"outpost_name", "type", "app"})
 	RequestsRejected = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "authentik_outpost_ldap_requests_rejected",
 		Help: "Total number of rejected requests",
-	}, []string{"outpost_name", "type", "reason", "dn", "client"})
+	}, []string{"outpost_name", "type", "reason", "app"})
 )

 func RunServer() {
--- a/internal/outpost/ldap/search.go
+++ b/internal/outpost/ldap/search.go
@ -12,20 +12,17 @@ import (
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ldap/metrics"
 	"goauthentik.io/internal/outpost/ldap/search"
-	"goauthentik.io/internal/utils"
 )

 func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
 	req, span := search.NewRequest(bindDN, searchReq, conn)
-
+	selectedApp := ""
 	defer func() {
 		span.Finish()
 		metrics.Requests.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "search",
-			"filter":       req.Filter,
-			"dn":           req.BindDN,
-			"client":       utils.GetIP(conn.RemoteAddr()),
+			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
 	}()
@ -50,6 +47,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 	for _, provider := range ls.providers {
 		providerBase, _ := goldap.ParseDN(strings.ToLower(provider.BaseDN))
 		if providerBase.AncestorOf(bd) || providerBase.Equal(bd) {
+			selectedApp = provider.GetAppSlug()
 			return provider.searcher.Search(req)
 		}
 	}
--- a/internal/outpost/ldap/search/direct/direct.go
+++ b/internal/outpost/ldap/search/direct/direct.go
@ -44,8 +44,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "filter_parse_fail",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
@ -54,8 +53,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "empty_bind_dn",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
@ -64,8 +62,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "invalid_bind_dn",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
 	}
@ -77,8 +74,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "user_info_not_cached",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
@ -90,8 +86,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "filter_parse_fail",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@ -47,8 +47,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "filter_parse_fail",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
@ -57,8 +56,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "empty_bind_dn",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
@ -67,8 +65,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "invalid_bind_dn",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
 	}
@ -80,8 +77,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "user_info_not_cached",
-			"dn":           req.BindDN,
-			"client":       req.RemoteAddr(),
+			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -134,11 +134,9 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 			metrics.Requests.With(prometheus.Labels{
 				"outpost_name": a.outpostName,
 				"type":         "app",
-				"scheme":       r.URL.Scheme,
 				"method":       r.Method,
-				"path":         r.URL.Path,
 				"host":         web.GetHost(r),
-				"user":         user,
+				"scheme":       r.URL.Scheme,
 			}).Observe(float64(after))
 		})
 	})
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -54,18 +54,11 @@ func (a *Application) configureProxy() error {
 		}()
 		after := time.Since(before)

-		user := ""
-		if claims != nil {
-			user = claims.Email
-		}
 		metrics.UpstreamTiming.With(prometheus.Labels{
 			"outpost_name":  a.outpostName,
 			"upstream_host": r.URL.Host,
-			"scheme":        r.URL.Scheme,
 			"method":        r.Method,
-			"path":          r.URL.Path,
 			"host":          web.GetHost(r),
-			"user":          user,
 		}).Observe(float64(after))
 	})
 	return nil
--- a/internal/outpost/proxyv2/handlers.go
+++ b/internal/outpost/proxyv2/handlers.go
@ -22,11 +22,8 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
 	metrics.Requests.With(prometheus.Labels{
 		"outpost_name": ps.akAPI.Outpost.Name,
 		"method":       r.Method,
-		"scheme":       r.URL.Scheme,
-		"path":         r.URL.Path,
 		"host":         web.GetHost(r),
 		"type":         "ping",
-		"user":         "",
 	}).Observe(float64(after))
 }

@ -37,11 +34,8 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
 	metrics.Requests.With(prometheus.Labels{
 		"outpost_name": ps.akAPI.Outpost.Name,
 		"method":       r.Method,
-		"scheme":       r.URL.Scheme,
-		"path":         r.URL.Path,
 		"host":         web.GetHost(r),
-		"type":         "ping",
-		"user":         "",
+		"type":         "static",
 	}).Observe(float64(after))
 }

--- a/internal/outpost/proxyv2/metrics/metrics.go
+++ b/internal/outpost/proxyv2/metrics/metrics.go
@ -15,11 +15,11 @@ var (
 	Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_proxy_requests",
 		Help: "The total number of configured providers",
-	}, []string{"outpost_name", "method", "scheme", "path", "host", "type", "user"})
+	}, []string{"outpost_name", "method", "scheme", "host", "type"})
 	UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_proxy_upstream_time",
 		Help: "A summary of the duration we wait for the upstream reply",
-	}, []string{"outpost_name", "method", "scheme", "path", "host", "upstream_host", "user"})
+	}, []string{"outpost_name", "method", "scheme", "host", "upstream_host"})
 )

 func RunServer() {