Store SIA user agent information in x509 certificate request table #2772
Conversation
rajeshal
force-pushed
the
index_sia_agent_reference
branch
2 times, most recently
from
c251cba
to
2eb5962
Compare
| @@ -208,6 +210,7 @@ public boolean updateX509CertRecord(X509CertRecord certRecord) throws ServerReso | |||
| ps.setString(10, certRecord.getProvider()); | |||
| ps.setString(11, certRecord.getInstanceId()); | |||
| ps.setString(12, certRecord.getService()); | |||
| ps.setString(13, certRecord.getSiaProvider()); | |||
There was a problem hiding this comment.
the sia provider is not the last component in the UPDATE command. It should be field 10 and then others are pushed back by 1.
can you also please review the test case for this method since this should have been caught by the unit tests.
servers/zts/schema/zts_server.sql
Outdated
| @@ -35,6 +35,7 @@ CREATE TABLE IF NOT EXISTS `zts_store`.`certificates` ( | |||
| `lastNotifiedServer` VARCHAR(512) NULL, | |||
| `expiryTime` DATETIME(3) NULL, | |||
| `hostName` VARCHAR(512) NULL, | |||
| `siaProvider` VARCHAR(256) NOT NULL, | |||
There was a problem hiding this comment.
These are the instructions for the ZMS schema but they apply to ZTS as well:
https://github.com/AthenZ/athenz/blob/master/servers/zms/schema/schema_update.md
rajeshal
force-pushed
the
index_sia_agent_reference
branch
3 times, most recently
from
a62daac
to
8a90860
Compare
| * @param request http servlet request | ||
| * @return SIA agent along with version, like 'SIA-FARGATE 1.32.0' | ||
| **/ | ||
| public static String getSiaAgent(final HttpServletRequest request) { |
There was a problem hiding this comment.
is there any reason why we want to maintain the full value of the agent including the version number? Why not just extract the value after SIA- and then our provider will be EKS, AWS, Fargate, etc so it's easier to index and just run queries. Otherwise you'll have SIA-EKS 1.52.0, SIA-EKS 1.53.0, etc.
There was a problem hiding this comment.
With the provider agent version it will give more flexibility in general to filter based on certain agent version. Since the version is at the end queries can still use fuzzy search in indexes.
Also will be scalable if another type of Service Identity Agent come into picture in addition to SIA
There was a problem hiding this comment.
If that is the case, then the field should be called userAgent and not siaProvider since the user agent is not provider. Not sure exactly what use cases you're referring to regarding the version number - that information is already in the access log file so no need to maintain it here. In fact, for a lot of lambda identities, we're gong to get something like 'Jersey/2.35 (Apache HttpClient 4.5.13)' so that's not useful at all.
We should keep our data clean and only save what we absolutely need. So we should get the agent, parse and only take agents with the format "SIA- ", extract the provider and save that value only. For all other cases, the provider will be empty and that should be excluded from any processing.
| PRIMARY KEY (`provider`, `instanceId`, `service`), | ||
| INDEX `idx_hostName` (`hostName` ASC)) | ||
| INDEX `idx_hostName` (`hostName` ASC) VISIBLE) |
There was a problem hiding this comment.
how did we get the VISIBLE flag here?
There was a problem hiding this comment.
It is mandatory for current version of MySQL Workbench
There was a problem hiding this comment.
So who ever touch a table via MySQL Workbench, it change the index with default value VISIBLE.
Since that is the default value, it should be fine as I don't think Athenz uses any indexes not to be used by optimizer.
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
rajeshal
force-pushed
the
index_sia_agent_reference
branch
from
e4f33db
to
4127c74
Compare
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
| @@ -45,6 +45,7 @@ public void testX509CertRecord() { | |||
| certRecord.setLastNotifiedTime(now); | |||
| certRecord.setExpiryTime(now); | |||
| certRecord.setSvcDataUpdateTime(now); | |||
| certRecord.setSiaProvider("SIA-EKS 1.52.0"); | |||
There was a problem hiding this comment.
let's update this test case to use cert.setSiaProvider("EKS") to be consistent with the implementation.
Signed-off-by: rajeshal <rajeshal@yahooinc.com>
Description
Contribution Checklist:
Attach Screenshots (Optional)