Merge #150476

150476: provisioning: add usability counters for enabling ldap provisioning r=pritesh-lahoti a=souravcrl

fixes #148876
Epic CRDB-21590

Release note (security): The following provisioning usability metric counters were added for ldap based user provisioning.

* An enablement tracking counter for organizations enabling ldap provisioning (`auth.provisioning.ldap.enable`)
* A counter for number of organizations & tenants which have enabled ldap to auto-provision users(`auth.provisioning.ldap.begin`).
* A counter for the number of auto-provisioned users (`auth.provisioning.ldap.success`).
* A telemetry counter for number of logins performed by provisioned users (`auth.provisioning.login_success`).

Co-authored-by: souravcrl <[email protected]>

Author: craig[bot]

pkg/security/provisioning/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/security/provisioning",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
         "@com_github_cockroachdb_errors//:errors",

pkg/security/provisioning/settings.go

@@ -6,6 +6,9 @@
 package provisioning
 
 import (
+	"context"
+
+	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 )
@@ -16,6 +19,22 @@ const (
 	testSupportedAuthMethodCertPassword = "cert-password"
 	baseProvisioningSettingName         = "security.provisioning."
 	ldapProvisioningEnableSettingName   = baseProvisioningSettingName + "ldap.enabled"
+
+	baseCounterPrefix = "auth.provisioning."
+	ldapCounterPrefix = baseCounterPrefix + "ldap."
+
+	beginLDAPProvisionCounterName   = ldapCounterPrefix + "begin"
+	provisionLDAPSuccessCounterName = ldapCounterPrefix + "success"
+	enableLDAPProvisionCounterName  = ldapCounterPrefix + "enable"
+
+	provisionedUserLoginSuccessCounterName = baseCounterPrefix + "login_success"
+)
+
+var (
+	BeginLDAPProvisionUseCounter       = telemetry.GetCounterOnce(beginLDAPProvisionCounterName)
+	ProvisionLDAPSuccessCounter        = telemetry.GetCounterOnce(provisionLDAPSuccessCounterName)
+	enableLDAPProvisionCounter         = telemetry.GetCounterOnce(enableLDAPProvisionCounterName)
+	ProvisionedUserLoginSuccessCounter = telemetry.GetCounterOnce(provisionedUserLoginSuccessCounterName)
 )
 
 // UserProvisioningConfig allows for customization of automatic user
@@ -59,7 +78,13 @@ func (c clusterProvisioningConfig) Enabled(authMethod string) bool {
 }
 
 // ClusterProvisioningConfig creates a UserProvisioningConfig backed by the
-// given cluster settings.
+// given cluster settings. It also installs a callback for changes to cluster
+// setting related to enablement of provisioning for different auth methods.
 func ClusterProvisioningConfig(settings *cluster.Settings) UserProvisioningConfig {
-	return clusterProvisioningConfig{settings}
+	ldapProvisioningEnabled.SetOnChange(&settings.SV, func(_ context.Context) {
+		if ldapProvisioningEnabled.Get(&settings.SV) {
+			telemetry.Inc(enableLDAPProvisionCounter)
+		}
+	})
+	return clusterProvisioningConfig{settings: settings}
 }

pkg/sql/pgwire/auth.go

@@ -15,7 +15,9 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/provisioning"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
+	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/lexbase"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/hba"
@@ -151,7 +153,7 @@ func (c *conn) handleAuthentication(
 
 	// Check that the requested user exists and retrieve the hashed
 	// password in case password authentication is needed.
-	exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, _, pwRetrievalFn, err :=
+	exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, provisioningSource, pwRetrievalFn, err :=
 		sql.GetUserSessionInitInfo(
 			ctx,
 			execCfg,
@@ -173,7 +175,7 @@ func (c *conn) handleAuthentication(
 				ac.LogAuthFailed(ctx, eventpb.AuthFailReason_PROVISIONING_ERROR, err)
 				return connClose, c.sendError(ctx, pgerror.WithCandidateCode(err, pgcode.InvalidAuthorizationSpecification))
 			}
-			exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, _, pwRetrievalFn, err =
+			exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, provisioningSource, pwRetrievalFn, err =
 				sql.GetUserSessionInitInfo(
 					ctx,
 					execCfg,
@@ -266,6 +268,11 @@ func (c *conn) handleAuthentication(
 		}
 	}
 
+	// If user has PROVISIONSRC set, increment the login success counter
+	if provisioningSource != nil {
+		telemetry.Inc(provisioning.ProvisionedUserLoginSuccessCounter)
+	}
+
 	// Compute the authentication latency needed to serve a SQL query.
 	// The metric published is based on the authentication type.
 	duration := timeutil.Since(authStartTime).Nanoseconds()

pkg/sql/pgwire/auth_methods.go

@@ -19,6 +19,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/security/provisioning"
 	"github.com/cockroachdb/cockroach/pkg/security/sessionrevival"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
+	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/sql"
@@ -1055,6 +1056,7 @@ func AuthLDAP(
 
 	b.SetProvisioner(func(ctx context.Context) error {
 		c.LogAuthInfof(ctx, "LDAP authentication succeeded; attempting to provision user")
+		telemetry.Inc(provisioning.BeginLDAPProvisionUseCounter)
 		// Provision the user in the system.
 		idpString := entry.Method.String() + ":" + entry.GetOption("ldapserver")
 		provisioningSource, err := provisioning.ParseProvisioningSource(idpString)
@@ -1069,6 +1071,8 @@ func AuthLDAP(
 			c.LogAuthFailed(ctx, eventpb.AuthFailReason_PROVISIONING_ERROR, err)
 			return err
 		}
+
+		telemetry.Inc(provisioning.ProvisionLDAPSuccessCounter)
 		return nil
 	})