Add initial condition parser for access monitoring rules #40659
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
| return trace.Errorf("unexpected kind %s", kind) | ||
| } | ||
|
|
||
| req, ok := types.LegacyToResource153(event.Resource).(*accessmonitoringrulesv1.AccessMonitoringRule) |
There was a problem hiding this comment.
Do these resource kinds support expiration? If yes, this won't work because in those cases, the watch request is a pure metadata object
There was a problem hiding this comment.
No plans to have expiration on the access monitoring rules.
There was a problem hiding this comment.
If we have no plans, we need to forbid setting it.
By default, the backend service will use the resource.Metadata.Expires field as expiration which will cause troubles when dealing with resources deleted by the backend server.
Or better, let's just support here the correct resource from the watcher event stream for those cases and support anything the users want to do
There was a problem hiding this comment.
I think forbidding it sounds like it makes more sense to me, but I am unsure what you mean by supporting the correct resource from watcher event stream. Could you elaborate a bit on what that would mean?
There was a problem hiding this comment.
Generally each resource can have TTL set and I don't see why monitoring rules should be an exception.
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
4 similar comments
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
| return trace.Errorf("unexpected kind %s", kind) | ||
| } | ||
|
|
||
| req, ok := types.LegacyToResource153(event.Resource).(*accessmonitoringrulesv1.AccessMonitoringRule) |
There was a problem hiding this comment.
Generally each resource can have TTL set and I don't see why monitoring rules should be an exception.
There was a problem hiding this comment.
@EdwardDowling The implementation overall lgtm (as long as you and @kimlisa made sure everything works end to end) but I don't really see any test coverage here, only a couple modified tests. Can you add proper tests here that create and evaluate monitoring rules?
Also, we talked about making sure that monitoring rules should override plugin's default recipient. Is that a part of this PR?
The overwriting is handled in this PR, adding in more test coverage now. |
There was a problem hiding this comment.
@EdwardDowling I still don't see a proper integration test here but I don't want to block the delivery of this feature on it any longer. Can you make sure to add a full end-to-end test as a follow up?
api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
Outdated
Show resolved
Hide resolved
api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.proto
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
@EdwardDowling We have about a week until we need to release this, can you add an integration test here? You guys tested it manually but lack of automated test coverage means it will regress very quickly.
EdwardDowling
force-pushed
the
edwarddowling/access-monitoring-rule-condition
branch
from
2a87f4b to
a048e9c
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
* Add initial condition parser for access monitoring rules * Update integrations/access/accessrequest/app.go Co-authored-by: Zac Bergquist <[email protected]> * Check previously unchecked error and minor refactor of AMR * Simplify check for applicable access monitoring rules * Refactor access monitoring rules plugin integration * Fix formating and move lock aquisition * Add methods for listing access monitoring rules with a filter * Add contains_any predicate expression func * Add in is_empty func to predicate expression * Lock AMR cache in plugins while getting initial rules * Add in check for access monitoring rule version * Update integrations/access/accessrequest/app.go Co-authored-by: Roman Tkachenko <[email protected]> * Update integrations/access/accessrequest/app.go Co-authored-by: Roman Tkachenko <[email protected]> * Move lock so it doesnt persist over api calls * Remove unused constant and add more context to logs * Appease linter * Update access monitoring rules tests to pass rule validation * Add in missing access monitoring rules list with filter code * Appease linter * Add back validation code for AMRs * Fix test plugin role and rename listaccessmonitoringrulewithfilter * Fix local test for AMR crud operations * Fix end range for listing rules * Fix unwrapping of resource153 event for monitoring rules * Refactor AMR cache init into helper function in plugin app * Add seperate response type for listAccessMonitoringRulesWithfilter * Add context to log for plugins failing to fetch recipients * Grab access monitoring rules cache under lock all at once * Add clarification for which fields are optional in listAMRfilter req * Update integrations/access/accessrequest/app.go Co-authored-by: Zac Bergquist <[email protected]> * Update integrations/access/accessrequest/app.go Co-authored-by: Zac Bergquist <[email protected]> * Add forEach to common recipient set * Move type check to after AMR event op switch * Move turn some default parser spec methods to funcs * Make some predicate func usable as methods as well * Add len func to common recipient sets * Add integration test for access monitoring rule and slack plugin * Fix error types and messages when handling AMRs * Use generic list resource with filter for AMR * Add test for generic listResourceWithFilter * Update listResourceWithFilter to use revision instead of id * Update generic tests to use revision instead of id * Fix linting --------- Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
…2087) * Add initial condition parser for access monitoring rules * Update integrations/access/accessrequest/app.go * Check previously unchecked error and minor refactor of AMR * Simplify check for applicable access monitoring rules * Refactor access monitoring rules plugin integration * Fix formating and move lock aquisition * Add methods for listing access monitoring rules with a filter * Add contains_any predicate expression func * Add in is_empty func to predicate expression * Lock AMR cache in plugins while getting initial rules * Add in check for access monitoring rule version * Update integrations/access/accessrequest/app.go * Update integrations/access/accessrequest/app.go * Move lock so it doesnt persist over api calls * Remove unused constant and add more context to logs * Appease linter * Update access monitoring rules tests to pass rule validation * Add in missing access monitoring rules list with filter code * Appease linter * Add back validation code for AMRs * Fix test plugin role and rename listaccessmonitoringrulewithfilter * Fix local test for AMR crud operations * Fix end range for listing rules * Fix unwrapping of resource153 event for monitoring rules * Refactor AMR cache init into helper function in plugin app * Add seperate response type for listAccessMonitoringRulesWithfilter * Add context to log for plugins failing to fetch recipients * Grab access monitoring rules cache under lock all at once * Add clarification for which fields are optional in listAMRfilter req * Update integrations/access/accessrequest/app.go * Update integrations/access/accessrequest/app.go * Add forEach to common recipient set * Move type check to after AMR event op switch * Move turn some default parser spec methods to funcs * Make some predicate func usable as methods as well * Add len func to common recipient sets * Add integration test for access monitoring rule and slack plugin * Fix error types and messages when handling AMRs * Use generic list resource with filter for AMR * Add test for generic listResourceWithFilter * Update listResourceWithFilter to use revision instead of id * Update generic tests to use revision instead of id * Fix linting --------- Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
Part of 3132
Adds parser for AMR conditions and enables additive recipients via the AMRs (Access monitoring rules)
Changelog: Add access monitoring rule routing for slack access plugin