Separate bot users in auth events

Log separate metrics for bot authentications and user authentications. Continue to exclude mobu bot users from the bot authentication metrics.
lsst-sqre · Oct 28, 2024 · 7adb432 · 7adb432
1 parent ccf98e2
commit 7adb432
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Change log
 
-Gafaelfawr is versioned with [semver](https://semver.org/). Dependencies are updated to the latest available version during each release. Those changes are not noted here explicitly.
+Gafaelfawr is versioned with [semver](https://semver.org/). Changes to metrics and logging are not considered backwards-incompatible changes.
+
+Dependencies are updated to the latest available version during each release. Those changes are not noted here explicitly.
 
 Find changes for the upcoming release in the project's [changelog.d directory](https://github.com/lsst-sqre/gafaelfawr/tree/main/changelog.d/).
 

diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst
@@ -2,6 +2,7 @@
 .. _ingress-nginx: https://kubernetes.github.io/ingress-nginx/
 .. _Keycloak: https://www.keycloak.org/
 .. _Kopf: https://kopf.readthedocs.io/en/stable/
+.. _mobu: https://mobu.lsst.io/
 .. _mypy: https://mypy.readthedocs.io/en/stable/
 .. _Phalanx: https://phalanx.lsst.io/
 .. _pre-commit: https://pre-commit.com

diff --git a/docs/user-guide/metrics.rst b/docs/user-guide/metrics.rst
@@ -15,8 +15,13 @@ Frontend metrics
 
 The following events are logged by the Gafaelfawr frontend:
 
-auth
-    A user was successfully authenticated to a service.
+auth_bot
+    A bot user was successfully authenticated to a service.
+    The username is present as the ``username`` tag.
+    The service name is present as the ``service`` tag, if known.
+
+auth_user
+    A non-bot user was successfully authenticated to a service.
     The username is present as the ``username`` tag.
     The service name is present as the ``service`` tag, if known.
 

diff --git a/src/gafaelfawr/events.py b/src/gafaelfawr/events.py
@@ -9,7 +9,8 @@
 __all__ = [
     "ActiveUserSessionsEvent",
     "ActiveUserTokensEvent",
-    "AuthEvent",
+    "AuthBotEvent",
+    "AuthUserEvent",
     "FrontendEvents",
     "LoginAttemptEvent",
     "LoginEnrollmentEvent",
@@ -78,10 +79,28 @@ async def initialize(self, manager: EventManager) -> None:
         )
 
 
-class AuthEvent(EventPayload):
-    """An authentication to a service.
+class AuthBotEvent(EventPayload):
+    """An authentication to a service by a bot user.
 
-    Authentications from mobu bot users are not logged via this event.
+    mobu_ bot users are still excluded from this metric, since those are not
+    relevant to the metrics we're trying to track.
+    """
+
+    username: str = Field(
+        ..., title="Username", description="Username of bot user"
+    )
+
+    service: str | None = Field(
+        None,
+        title="Service",
+        description="Service to which the user was authenticated",
+    )
+
+
+class AuthUserEvent(EventPayload):
+    """An authentication to a service by a user.
+
+    Bot users are not included in this metric.
     """
 
     username: str = Field(
@@ -161,7 +180,12 @@ class FrontendEvents(EventMaker):
     """
 
     async def initialize(self, manager: EventManager) -> None:
-        self.auth = await manager.create_publisher("auth", AuthEvent)
+        self.auth_bot = await manager.create_publisher(
+            "auth_bot", AuthBotEvent
+        )
+        self.auth_user = await manager.create_publisher(
+            "auth_user", AuthUserEvent
+        )
         self.login_attempt = await manager.create_publisher(
             "login_attempt", LoginAttemptEvent
         )

diff --git a/src/gafaelfawr/handlers/ingress.py b/src/gafaelfawr/handlers/ingress.py
@@ -26,7 +26,7 @@
 from ..constants import MINIMUM_LIFETIME
 from ..dependencies.auth import AuthenticateRead
 from ..dependencies.context import RequestContext, context_dependency
-from ..events import AuthEvent
+from ..events import AuthBotEvent, AuthUserEvent
 from ..exceptions import (
     ExternalUserInfoError,
     InsufficientScopeError,
@@ -37,7 +37,7 @@
 )
 from ..models.auth import AuthType, Satisfy
 from ..models.token import TokenData
-from ..util import is_mobu_bot_user
+from ..util import is_bot_user, is_mobu_bot_user
 
 router = APIRouter(route_class=SlackRouteErrorHandler)
 
@@ -359,11 +359,17 @@ async def get_auth(
     headers = await build_success_headers(context, auth_config, token_data)
     for key, value in headers:
         response.headers.append(key, value)
-    if not is_mobu_bot_user(token_data.username):
-        event = AuthEvent(
+    if is_bot_user(token_data.username):
+        if not is_mobu_bot_user(token_data.username):
+            bot_event = AuthBotEvent(
+                username=token_data.username, service=auth_config.service
+            )
+            await context.events.auth_bot.publish(bot_event)
+    else:
+        user_event = AuthUserEvent(
             username=token_data.username, service=auth_config.service
         )
-        await context.events.auth.publish(event)
+        await context.events.auth_user.publish(user_event)
     return {"status": "ok"}