feat(proxy): emit JWT auth method and JWT issuer in parquet logs (#9971)

Fix the HTTP AuthMethod to accomodate the JWT authorization method. Introduces the JWT issuer as an additional field in the parquet logs
2026-05-24 16:40:38 +00:00 · 2024-12-02 17:54:32 +00:00
parent a0cd64c4d3
commit 32ba9811f9
5 changed files with 49 additions and 30 deletions
--- a/proxy/src/context/mod.rs
+++ b/proxy/src/context/mod.rs
@@ -57,6 +57,7 @@ struct RequestContextInner {
    application: Option<SmolStr>,
    error_kind: Option<ErrorKind>,
    pub(crate) auth_method: Option<AuthMethod>,
+    jwt_issuer: Option<String>,
    success: bool,
    pub(crate) cold_start_info: ColdStartInfo,
    pg_options: Option<StartupMessageParams>,
@@ -79,6 +80,7 @@ pub(crate) enum AuthMethod {
    ScramSha256,
    ScramSha256Plus,
    Cleartext,
+    Jwt,
 }

 impl Clone for RequestContext {
@@ -100,6 +102,7 @@ impl Clone for RequestContext {
            application: inner.application.clone(),
            error_kind: inner.error_kind,
            auth_method: inner.auth_method.clone(),
+            jwt_issuer: inner.jwt_issuer.clone(),
            success: inner.success,
            rejected: inner.rejected,
            cold_start_info: inner.cold_start_info,
@@ -148,6 +151,7 @@ impl RequestContext {
            application: None,
            error_kind: None,
            auth_method: None,
+            jwt_issuer: None,
            success: false,
            rejected: None,
            cold_start_info: ColdStartInfo::Unknown,
@@ -246,6 +250,11 @@ impl RequestContext {
        this.auth_method = Some(auth_method);
    }

+    pub(crate) fn set_jwt_issuer(&self, jwt_issuer: String) {
+        let mut this = self.0.try_lock().expect("should not deadlock");
+        this.jwt_issuer = Some(jwt_issuer);
+    }
+
    pub fn has_private_peer_addr(&self) -> bool {
        self.0
            .try_lock()
--- a/proxy/src/context/parquet.rs
+++ b/proxy/src/context/parquet.rs
@@ -87,6 +87,8 @@ pub(crate) struct RequestData {
    branch: Option<String>,
    pg_options: Option<String>,
    auth_method: Option<&'static str>,
+    jwt_issuer: Option<String>,
+
    error: Option<&'static str>,
    /// Success is counted if we form a HTTP response with sql rows inside
    /// Or if we make it to proxy_pass
@@ -138,7 +140,9 @@ impl From<&RequestContextInner> for RequestData {
                super::AuthMethod::ScramSha256 => "scram_sha_256",
                super::AuthMethod::ScramSha256Plus => "scram_sha_256_plus",
                super::AuthMethod::Cleartext => "cleartext",
+                super::AuthMethod::Jwt => "jwt",
            }),
+            jwt_issuer: value.jwt_issuer.clone(),
            protocol: value.protocol.as_str(),
            region: value.region,
            error: value.error_kind.as_ref().map(|e| e.to_metric_label()),
@@ -519,6 +523,7 @@ mod tests {
            branch: Some(hex::encode(rng.gen::<[u8; 16]>())),
            pg_options: None,
            auth_method: None,
+            jwt_issuer: None,
            protocol: ["tcp", "ws", "http"][rng.gen_range(0..3)],
            region: "us-east-1",
            error: None,
@@ -599,15 +604,15 @@ mod tests {
        assert_eq!(
            file_stats,
            [
-                (1312632, 3, 6000),
-                (1312621, 3, 6000),
-                (1312680, 3, 6000),
-                (1312637, 3, 6000),
-                (1312773, 3, 6000),
-                (1312610, 3, 6000),
-                (1312404, 3, 6000),
-                (1312639, 3, 6000),
-                (437848, 1, 2000)
+                (1313105, 3, 6000),
+                (1313094, 3, 6000),
+                (1313153, 3, 6000),
+                (1313110, 3, 6000),
+                (1313246, 3, 6000),
+                (1313083, 3, 6000),
+                (1312877, 3, 6000),
+                (1313112, 3, 6000),
+                (438020, 1, 2000)
            ]
        );

@@ -639,11 +644,11 @@ mod tests {
        assert_eq!(
            file_stats,
            [
-                (1203465, 5, 10000),
-                (1203189, 5, 10000),
-                (1203490, 5, 10000),
-                (1203475, 5, 10000),
-                (1203729, 5, 10000)
+                (1204324, 5, 10000),
+                (1204048, 5, 10000),
+                (1204349, 5, 10000),
+                (1204334, 5, 10000),
+                (1204588, 5, 10000)
            ]
        );

@@ -668,15 +673,15 @@ mod tests {
        assert_eq!(
            file_stats,
            [
-                (1312632, 3, 6000),
-                (1312621, 3, 6000),
-                (1312680, 3, 6000),
-                (1312637, 3, 6000),
-                (1312773, 3, 6000),
-                (1312610, 3, 6000),
-                (1312404, 3, 6000),
-                (1312639, 3, 6000),
-                (437848, 1, 2000)
+                (1313105, 3, 6000),
+                (1313094, 3, 6000),
+                (1313153, 3, 6000),
+                (1313110, 3, 6000),
+                (1313246, 3, 6000),
+                (1313083, 3, 6000),
+                (1312877, 3, 6000),
+                (1313112, 3, 6000),
+                (438020, 1, 2000)
            ]
        );

@@ -713,7 +718,7 @@ mod tests {
        // files are smaller than the size threshold, but they took too long to fill so were flushed early
        assert_eq!(
            file_stats,
-            [(657696, 2, 3001), (657410, 2, 3000), (657206, 2, 2999)]
+            [(658014, 2, 3001), (657728, 2, 3000), (657524, 2, 2999)]
        );

        tmpdir.close().unwrap();