feat(core): Prefer deferred log events to better track failure #2969
Conversation
github-actions
bot
added
comp:policy
Summary of ChangesHello @dmihalcik-virtru, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly refactors the audit logging mechanism to improve the reliability and completeness of audit trails. By introducing a deferred logging pattern, audit events are now created early in a request's execution and progressively updated with relevant information as the operation proceeds. The final log entry is then emitted only when the operation concludes, whether successfully or with an error, or if the request is cancelled. This change ensures that audit logs accurately reflect the full state and outcome of each request, providing more robust tracking and debugging capabilities. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. A log begun, then held in wait, Context gathered, sealed by fate. Defer's embrace, a watchful eye, To track the truth, 'til tasks pass by. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant and valuable refactoring to use deferred audit log events, which will improve failure tracking, especially for cancelled or timed-out requests. The implementation of the deferred event pattern is well-executed across the majority of the services. I've identified one high-severity issue where successful operations might be incorrectly audited as 'cancelled' if a subsequent operation in the same request panics. I've also noted a minor misuse of the new pattern in one location that could be simplified for better clarity. Overall, this is a solid improvement to the auditing mechanism.
| auditEvent := s.logger.Audit.PolicyCRUD(ctx, auditParams) | ||
| auditEvent.Success(scs) | ||
| auditEvent.Log() |
There was a problem hiding this comment.
The call to auditEvent.Log() here is redundant. auditEvent.Success(scs) has already marked the event as complete and queued it for logging within the current audit transaction. The Log() method is primarily intended for use with defer to handle cases where an operation might fail before Success() is called. Since the database operation has already completed successfully and you are just logging the results, the explicit Log() call is not needed and can be removed for clarity.
| auditEvent := s.logger.Audit.PolicyCRUD(ctx, auditParams) | |
| auditEvent.Success(scs) | |
| auditEvent.Log() | |
| auditEvent := s.logger.Audit.PolicyCRUD(ctx, auditParams) | |
| auditEvent.Success(scs) |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
If a request times out or is canceled, there is no response given back to the requestor. It seems like there are some audit events where audit-worthy things could have happened (i.e. policy write mutations) without a response, but the most critical audit events around decisions and rewraps have no meaning to clients without a response received back. In essence, those two events arguably never happened without a response because the client action is so dependent upon the response. Should there be any distinction made for this case? |
This is only true in kind circumstances. Response delivery, and ACK of that delivery (in TCP) are not atomic. It is possible for someone to receive a response, fail to ack it, then close the connection. |
These new audit methods allow properly registering an event as going-to-happen, so that they are properly logged in the event of a cancellation or panic.
prompt: There seems to be some code duplication with the different audit types (DeferredX). Is there an idiomatic way in go to combine them?
dmihalcik-virtru
force-pushed
the
DSPX-2007-advanced-audacity
branch
from
ec479d1 to
d948ad6
Compare
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
I'm guessing claude hasn't gotten the memo about generics yet (like the rest of us)
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a new 'deferred audit event' pattern to enhance the robustness and consistency of audit logging across the codebase. The core change involves creating a new deferred.go file that defines generic deferred event handling and specific types for PolicyCRUD, Rewrap, and Decision events. This pattern leverages Go's defer mechanism to guarantee that audit events are logged even in the presence of errors, panics, or context cancellations, and allows for progressive enrichment of event parameters before final logging. Existing direct audit logging calls (e.g., PolicyCRUDSuccess, PolicyCRUDFailure, GetDecision) are replaced with this new deferred approach across various policy services and authorization logic. The GetDecision and GetDecisionV2 methods in the main logger are deprecated, with their logic moved to internal base methods. Additionally, the ConvertToAuditKasPolicy function now returns a pointer. Review comments identified that the UpdatePolicy method in RewrapEvent and the UpdateEntitlements and UpdateEntityDecisions methods in GetDecisionEvent are not thread-safe and lack checks for event completion, which violates the documented contract of the deferred event pattern. The reviewer suggested adding mutex locks and completion checks to these methods to prevent potential data races or panics.
jentfoo
left a comment
jentfoo
left a comment
There was a problem hiding this comment.
Overall this looks like a step in the right direction, however I believe there may still be an issue because the potentially canceled context still gets passed to the logger here: https://github.com/opentdf/platform/blob/main/service/logger/audit/contextServerInterceptor.go#L66-L74
I think the easiest solution is to just ensure we wrap the context to avoid the cancel using WithoutCancel: https://pkg.go.dev/context#WithoutCancel
There were systematic places where we were updating auditParams after copying them to the event. This updates those calls to use explicit Updater methods on the event objet.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Proposed Changes
audit.Eventobjects, which in turn have their own log method.Checklist
Testing Instructions