Add a metric to track usage of API authentication methods

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index c3309cd23b6a671998e81f7bc7c445d5244a4ca6..00adb4b5983792f4d045ae943dc0f5d520926521 100644 (file)
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -18,9 +18,12 @@
   #
   # Setup logging
   #
-  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
+  SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+  SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+  SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+  SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
   CustomLog /var/log/apache2/access.log combined_with_time
-  CustomLog /var/log/apache2/basic.log combined_with_time "expr=%{HTTP:Authorization} =~ /^Basic/i"
   ErrorLog /var/log/apache2/error.log
 
   #

diff --git a/cookbooks/web/templates/default/api-statistics.erb b/cookbooks/web/templates/default/api-statistics.erb
index f894af5c42a70f90ab9897f669b6e26af227f109..297a2ef514f50a3e3a00523b8ab5480b90544958 100644 (file)
--- a/cookbooks/web/templates/default/api-statistics.erb
+++ b/cookbooks/web/templates/default/api-statistics.erb
@@ -19,7 +19,7 @@ def categorise_uri(line)
   end
 end
 
-parser = ApacheLogRegex.new('%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x')
+parser = ApacheLogRegex.new('%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e')
 last_write = Time.now
 
 statistics = {
@@ -28,7 +28,8 @@ statistics = {
   :count => Hash.new(0),
   :bytes => Hash.new(0),
   :seconds => Hash.new(0.0),
-  :ssl => Hash.new(0)
+  :ssl => Hash.new(0),
+  :auth => Hash.new(0)
 }
 
 File::Tail::Logfile.tail("/var/log/apache2/access.log") do |line|
@@ -41,6 +42,7 @@ File::Tail::Logfile.tail("/var/log/apache2/access.log") do |line|
     seconds = hash["%Dus"].to_f / 1000000
     protocol = hash["%{SSL_PROTOCOL}x"]
     cipher = hash["%{SSL_CIPHER}x"]
+    auth = hash["%{AUTH_METHOD}e"]
 
     statistics[:status][status] += 1
     statistics[:uri][uri] += 1
@@ -48,6 +50,7 @@ File::Tail::Logfile.tail("/var/log/apache2/access.log") do |line|
     statistics[:bytes][[uri, status]] += bytes
     statistics[:seconds][[uri, status]] += seconds
     statistics[:ssl][[protocol, cipher]] += 1 unless protocol == "-"
+    statistics[:auth][auth] += 1 unless auth == "-"
   rescue ApacheLogRegex::ParseError
     # nil
   end
@@ -91,6 +94,13 @@ File::Tail::Logfile.tail("/var/log/apache2/access.log") do |line|
 
         file.puts "api_call_ssl_total{protocol=\"#{protocol}\",cipher=\"#{cipher}\"} #{value}"
       end
+
+      file.puts "# HELP api_call_auth_method_total Number of calls by authentication method"
+      file.puts "# TYPE api_call_auth_method_total counter"
+
+      statistics[:auth].each do |method, value|
+        file.puts "api_call_auth_method_total{method=\"#{method}\"} #{value}"
+      end
     end
 
     File.rename("/var/lib/prometheus/node-exporter/api.tmp", "/var/lib/prometheus/node-exporter/api.prom")