pgwire,provisioning: align JWT auth logging and telemetry with LDAP

Previously, the JWT authentication flow lacked specific telemetry
counters for its provisioning process and had less verbose logging
compared to the LDAP authentication flow.

This was inadequate because it created an observability gap, making it
harder to monitor and debug JWT-specific authentication and
provisioning steps compared to the more mature LDAP implementation.

To address this, this patch introduces JWT-specific telemetry counters
for provisioning (`begin`, `success`, `enable`) and adds more detailed
logging messages at each stage of the `authJwtToken` flow
(provisioning, authentication, and authorization). The new logs and
metrics are modeled directly after the existing implementation for
LDAP, ensuring a consistent operational experience for both enterprise
authentication methods.

Release note: None

Author: shriramters

pkg/security/provisioning/settings.go

@@ -24,18 +24,28 @@ const (
 
 	baseCounterPrefix = "auth.provisioning."
 	ldapCounterPrefix = baseCounterPrefix + "ldap."
+	jwtCounterPrefix  = baseCounterPrefix + "jwt."
 
 	beginLDAPProvisionCounterName   = ldapCounterPrefix + "begin"
 	provisionLDAPSuccessCounterName = ldapCounterPrefix + "success"
 	enableLDAPProvisionCounterName  = ldapCounterPrefix + "enable"
 
+	beginJWTProvisionCounterName   = jwtCounterPrefix + "begin"
+	provisionJWTSuccessCounterName = jwtCounterPrefix + "success"
+	enableJWTProvisionCounterName  = jwtCounterPrefix + "enable"
+
 	provisionedUserLoginSuccessCounterName = baseCounterPrefix + "login_success"
 )
 
 var (
-	BeginLDAPProvisionUseCounter       = telemetry.GetCounterOnce(beginLDAPProvisionCounterName)
-	ProvisionLDAPSuccessCounter        = telemetry.GetCounterOnce(provisionLDAPSuccessCounterName)
-	enableLDAPProvisionCounter         = telemetry.GetCounterOnce(enableLDAPProvisionCounterName)
+	BeginLDAPProvisionUseCounter = telemetry.GetCounterOnce(beginLDAPProvisionCounterName)
+	ProvisionLDAPSuccessCounter  = telemetry.GetCounterOnce(provisionLDAPSuccessCounterName)
+	enableLDAPProvisionCounter   = telemetry.GetCounterOnce(enableLDAPProvisionCounterName)
+
+	BeginJWTProvisionUseCounter = telemetry.GetCounterOnce(beginJWTProvisionCounterName)
+	ProvisionJWTSuccessCounter  = telemetry.GetCounterOnce(provisionJWTSuccessCounterName)
+	enableJWTProvisionCounter   = telemetry.GetCounterOnce(enableJWTProvisionCounterName)
+
 	ProvisionedUserLoginSuccessCounter = telemetry.GetCounterOnce(provisionedUserLoginSuccessCounterName)
 )
 
@@ -99,5 +109,10 @@ func ClusterProvisioningConfig(settings *cluster.Settings) UserProvisioningConfi
 			telemetry.Inc(enableLDAPProvisionCounter)
 		}
 	})
+	jwtProvisioningEnabled.SetOnChange(&settings.SV, func(_ context.Context) {
+		if jwtProvisioningEnabled.Get(&settings.SV) {
+			telemetry.Inc(enableJWTProvisionCounter)
+		}
+	})
 	return clusterProvisioningConfig{settings: settings}
 }

pkg/sql/pgwire/auth_methods.go

@@ -860,6 +860,9 @@ func authJwtToken(
 	}
 
 	b.SetProvisioner(func(ctx context.Context) error {
+		c.LogAuthInfof(ctx, "Starting JWT provisioning; attempting to verify token")
+		telemetry.Inc(provisioning.BeginJWTProvisionUseCounter)
+
 		if validationErr != nil {
 			return validationErr
 		}
@@ -893,6 +896,8 @@ func authJwtToken(
 			c.LogAuthFailed(ctx, eventpb.AuthFailReason_PROVISIONING_ERROR, err)
 			return err
 		}
+
+		telemetry.Inc(provisioning.ProvisionJWTSuccessCounter)
 		return nil
 	})
 
@@ -905,6 +910,8 @@ func authJwtToken(
 			return err
 		}
 
+		c.LogAuthInfof(ctx, "JWT Provided; attempting to validate token for authentication")
+
 		// Validate the token and, if there's an error, log it with the correct reason.
 		if detailedErrors, authError := jwtVerifier.ValidateJWTLogin(
 			sctx, execCfg.Settings, user, []byte(token), identMap); authError != nil {
@@ -920,6 +927,8 @@ func authJwtToken(
 	})
 
 	b.SetAuthorizer(func(ctx context.Context, systemIdentity string, clientConnection bool) error {
+		c.LogAuthInfof(ctx, "JWT authentication succeeded; attempting authorization")
+
 		// Ask the CCL verifier for groups (nil slice means feature disabled).
 		groups, err := jwtVerifier.ExtractGroups(ctx, execCfg.Settings, []byte(token))
 		if err != nil {