Add a notion of "deprecated group" to chrome-infra-auth |
|||
Issue descriptionIt's a boolean flag on a group that gets propagated to all services that use AuthDB. If a service uses such deprecated group during ACL lookup, it spits out an ominous warning in logs. Bonus points if it also dials back to chrome-infra-auth and reports that the group was used. The idea is to have at least some visibility into whether it is safe delete a group or not.
,
Dec 14 2017
By tsmon you mean introduce a counter "used_in_lookups" with metric field "group"? That's a good idea. Two concerns: * I'm slightly worried about performance, tsmon metric implementation is kind of slow if metrics are updated from tight loops (and group look up code is pretty tight). * For infrequently used groups we may miss single monitoring blip. It can get eaten by retention policies before we notice it. I think BQ in a form of eventmon is too heavy for this (we'll have to vendor a lot of libraries everywhere, then maintain ACLs and consistently use BQ table schema across all apps). Dialing back is simpler.
,
Jan 2 2018
,
Jan 3
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by tandrii@chromium.org
, Dec 14 2017