Hi Justin,
many thanks for your availability.
Sure, this kind of metrics is protocol independent (I referred to MQTT because
it is the reference protocol for our scenario).
Below some notes from my side:
*
I think having success/failure counters for each and every different
authorization permission (e.g. send, consume, browse, createDurableQueue,
createAddress, etc.) would be valuable, because it would allow to monitor, for
example, the percentage of operations failed due to authorization issues,
category by category. If we can express some sort of preference/priority, based
on our experience, I would start from:
*
connection (success/failure)
*
send (success/failure)
*
createAddress (success/failure)
*
createDurableQueue (success/failure)
*
createNonDurableQueue (success/failure)
*
consume (success/failure)
*
just to confirm my understanding about authentication/authorization metrics, in
the negative scenario (i.e. failures) the authentication metrics should be
related only to inconsistencies of the identity information provided by the
client (e.g. expired client certificates), while authorization metrics would be
related, for example, to missing grants for sending/consuming data... can you
confirm that with the new metric we will be able to catch all these events?
*
when you talk about cache, you refer to the authentication/authorization cache
(as documented
here<https://activemq.apache.org/components/artemis/documentation/latest/security.html>),
right? If this is the case, I think these metrics would be useful for
understanding the performance but maybe it could be more useful to start from
the metrics highlighted in the first point
Have a nice day,
Andrea
P.S.
If you will open a Jira Issue or you will create a PR for introducing the new
metrics, could you please send me the link (just for being able to understand
when the changes will be introduced)?
________________________________
Da: Justin Bertram <[email protected]>
Inviato: martedì 9 maggio 2023 18:05
A: [email protected] <[email protected]>
Oggetto: Re: Metrics on Artemis for negative use cases
I do think metrics like this would be valuable. However, they wouldn't be
measured or presented specifically in the context of MQTT. They would be
general metrics for authn & authz for all protocols. Right now I'm thinking
of adding the following for both authentication and authorization:
- success count
- failure count
- cache hit count
- cache miss count
- cache size
This would be a total of 10 new metrics.
I could also add success/failure counts for each and every different
authorization permission (e.g. send, consume, browse, createDurableQueue,
createAddress, etc.), but that would be 20 additional metrics. Do you have
any thoughts or preferences regarding this?
Keep in mind that notifications [1] are sent for every authn & authz
failure so you can *already* set up something to monitor and alert if
necessary.
Justin
[1]
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcomponents%2Fartemis%2Fdocumentation%2Flatest%2Fmanagement.html%23management-notifications&data=05%7C01%7C%7C8f618a9c8d5b4f9ded6908db50b8a6c8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638192526221485490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=St37c2cyiBhv9Ek3G7Mr1niarxXj307v%2Fi5FF39e4dw%3D&reserved=0<https://activemq.apache.org/components/artemis/documentation/latest/management.html#management-notifications>
On Tue, May 9, 2023 at 12:03 PM andrea bisogno <[email protected]> wrote:
> Hi support,
> do you have any info to share here?
> Many thanks in advance,
>
> Andrea
> ________________________________
> Da: andrea bisogno <[email protected]>
> Inviato: giovedì 27 aprile 2023 08:54
> A: [email protected] <[email protected]>
> Oggetto: Metrics on Artemis for negative use cases
>
> Hi,
> I would need support for understanding if the Metrics offered by Artemis
> (as documented at
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcomponents%2Fartemis%2Fdocumentation%2Flatest%2Fmetrics.html&data=05%7C01%7C%7C8f618a9c8d5b4f9ded6908db50b8a6c8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638192526221485490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WDKy%2BA6%2BFFIrqDHjCEB04WMNWEUzXAIPa2cOkXL3GBk%3D&reserved=0<https://activemq.apache.org/components/artemis/documentation/latest/metrics.html>
> )<
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcomponents%2Fartemis%2Fdocumentation%2Flatest%2Fmetrics.html&data=05%7C01%7C%7C8f618a9c8d5b4f9ded6908db50b8a6c8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638192526221485490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WDKy%2BA6%2BFFIrqDHjCEB04WMNWEUzXAIPa2cOkXL3GBk%3D&reserved=0><https://activemq.apache.org/components/artemis/documentation/latest/metrics.html>
> cover the negative use cases too.
> I mean, it would be great to be able to trace:
>
> * the number of the MQTT connections failed due to authorization issues
> * the number of the messages not published due to authorization issues
> (e.g. no role for that user to send messages on a destination)
> * the number of the subscriptions failed due to authorization issues
> (e.g. no role for that user to subscribe to a destination)
>
> If these scenarios are currently not covered by the metrics, is it
> possible to add these in one of the next releases?
> Being able to trace also these negative scenarios could be very useful,
> for example for comparing how many MQTT connection succeded and how many
> failed due to authorization issues.
>
> Many thanks in advance,
>
> Andrea
>
